Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 08:35:34.583 PDT
Gen. Time:        10/08/2013 08:35:34.583 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (08:35:34.583 PDT)
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-55826 (08:35:34.583 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381246534.583 1381246534.584 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 08:35:34.583 PDT
Gen. Time:        10/08/2013 08:42:01.080 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (5) (08:35:34.583 PDT)
       event=1:92009714 (4) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-57709 (08:37:45.637 PDT)
          80<-58090 (08:37:55.319 PDT)
          80<-58092 (08:37:55.328 PDT)
          80<-58093 (08:37:55.330 PDT)
       -------------------------
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-55826 (08:35:34.583 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381246534.583 1381246534.584 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 08:44:21.368 PDT
Gen. Time:        10/08/2013 08:44:21.368 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (08:44:21.368 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href="><script>alert("ftgate_44002.nasl")</script>;] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-34220 (08:44:21.368 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381247061.368 1381247061.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 08:44:21.368 PDT
Gen. Time:        10/08/2013 08:48:26.233 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (15) (08:44:21.368 PDT)
       event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/item.fts?href="><script>alert("ftgate_44002.nasl")</script>;] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-34220 (08:44:21.368 PDT)
          80<-34228 (08:44:22.389 PDT)
          80<-34243 (08:44:25.426 PDT)
          80<-34259 (08:44:27.448 PDT)
          80<-34298 (08:44:34.579 PDT)
          80<-34298 (08:44:34.582 PDT)
          80<-34317 (08:44:34.658 PDT)
          80<-34481 (08:44:35.644 PDT)
          80<-34490 (08:44:35.675 PDT)
       -------------------------
       event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-34286 (08:44:32.513 PDT)
          80<-34309 (08:44:34.624 PDT)
          80<-34477 (08:44:35.597 PDT)
       -------------------------
       event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-34465 (08:44:35.538 PDT)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-34465 (08:44:35.538 PDT)
       -------------------------
       event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 1C:DF:0F:66:3D:B0
          80<-34465 (08:44:35.538 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381247061.368 1381247061.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 15:48:19.889 PDT
Gen. Time:        10/08/2013 15:48:19.889 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (15:48:19.889 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/WebID/IISWebAgentIF.dll?postdata="><script>foo</script>] MAC_Dst: 00:21:5A:08:EC:40
          80<-54361 (15:48:19.889 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381272499.889 1381272499.890 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 15:53:54.295 PDT
Gen. Time:        10/08/2013 15:53:54.295 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (15:53:54.295 PDT)
       event=1:92016184 {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/settings/version.cfm] MAC_Dst: 00:21:5A:08:EC:40
          80<-54517 (15:53:54.295 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381272834.295 1381272834.296 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 16:08:51.161 PDT
Gen. Time:        10/08/2013 16:08:51.161 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (16:08:51.161 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/<script>foo</script>] MAC_Dst: 00:21:5A:08:EC:40
          80<-55225 (16:08:51.161 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381273731.161 1381273731.162 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 16:08:51.161 PDT
Gen. Time:        10/08/2013 16:14:35.997 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (9) (16:08:51.161 PDT)
       event=1:92009714 (9) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/<script>foo</script>] MAC_Dst: 00:21:5A:08:EC:40
          80<-55225 (16:08:51.161 PDT)
          80<-55232 (16:09:07.357 PDT)
          80<-55242 (16:09:56.064 PDT)
          80<-55243 (16:09:59.473 PDT)
          80<-55244 (16:10:02.576 PDT)
          80<-55248 (16:10:04.637 PDT)
          80<-55249 (16:10:05.142 PDT)
          80<-55452 (16:10:43.393 PDT)
          80<-55454 (16:10:43.428 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381273731.161 1381273731.162 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 16:22:47.173 PDT
Gen. Time:        10/08/2013 16:22:47.173 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (16:22:47.173 PDT)
       event=1:92009714 {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/console/faces/com_sun_web_ui/help/masthead.jsp?windowTitle=</title><script>alert('sun_java_web_console_helpwindow_xss.nasl')</] MAC_Dst: 00:21:5A:08:EC:40
          80<-57795 (16:22:47.173 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381274567.173 1381274567.174 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================
Score:            0.8 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    128.18.30.15
Egg Source List:  <unobserved>
C & C List:       <unobserved>
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   10/08/2013 16:22:47.173 PDT
Gen. Time:        10/08/2013 16:37:47.312 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT (INTERNAL)
    128.18.30.15 (16) (16:22:47.173 PDT)
       event=1:92009714 (10) {tcp} E2[irb] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt, [/console/faces/com_sun_web_ui/help/masthead.jsp?windowTitle=</title><script>alert('sun_java_web_console_helpwindow_xss.nasl')</] MAC_Dst: 00:21:5A:08:EC:40
          80<-57795 (16:22:47.173 PDT)
          80<-57796 (16:22:47.177 PDT)
          80<-57862 (16:24:54.829 PDT)
          80<-57871 (16:25:05.760 PDT)
          80<-57891 (16:26:43.038 PDT)
          80<-57904 (16:26:48.218 PDT)
          80<-57926 (16:27:35.237 PDT)
          80<-57932 (16:27:35.654 PDT)
          80<-58053 (16:31:40.498 PDT)
          80<-58288 (16:34:21.954 PDT)
       -------------------------
       event=1:92016184 (3) {tcp} E2[irb] ET WEB_SERVER ColdFusion administrator access, [/CFIDE/administrator/index.cfm] MAC_Dst: 00:21:5A:08:EC:40
          80<-57812 (16:23:21.230 PDT)
          80<-57833 (16:24:25.991 PDT)
          80<-58278 (16:34:21.626 PDT)
       -------------------------
       event=1:92016977 {tcp} E2[irb] ET WEB_SERVER allow_url_include PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40
          80<-58002 (16:29:44.768 PDT)
       -------------------------
       event=1:92016979 {tcp} E2[irb] ET WEB_SERVER suhosin.simulation PHP config option in uri, [/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d ] MAC_Dst: 00:21:5A:08:EC:40
          80<-58002 (16:29:44.768 PDT)
       -------------------------
       event=1:92016980 {tcp} E2[irb] ET WEB_SERVER disable_functions PHP config option in uri, [] MAC_Dst: 00:21:5A:08:EC:40
          80<-58002 (16:29:44.768 PDT)
       
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
EGG DOWNLOAD (INTERNAL)
    <unobserved>
    
C and C TRAFFIC
    <unobserved>
    
C and C TRAFFIC (INTERNAL)
    <unobserved>
    
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND ATTACK
    <unobserved>
    
OUTBOUND ATTACK (INTERNAL)
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1381274567.173 1381274567.174 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================