Skip to main content

Overview

Somnium generates detailed result files for each test category. Understanding these output files is crucial for validating your security controls and identifying gaps in your defenses.

Output File Locations

All result files are saved in the current working directory where you executed Somnium:
Test CategoryOutput File
Known Bad IPsIP_Results.txt
Phishing URLsURL_Results.txt
TOR Exit NodesTOR_Results.txt
Malware DistributionMalware_Results.txt
Cryptomining DomainsMining_Results.txt
DGA DomainsDGA_Results.txt
Remote Desktop ToolsRAT_Results.txt
Bad User AgentsAgent_Results.txt
DNS over HTTPSDoH_Results.txt
Result files are opened in append mode (a+), so running the same test multiple times will add new results to the existing file rather than overwriting it.

Result File Formats

Files: IP_Results.txt, TOR_Results.txt

Format Structure

Timestamp:<TIME> IP:<IP_ADDRESS> : Port:<PORT_NUMBER> test <STATUS>

Example Output

Timestamp:14:23:45 IP:192.0.2.1 : Port:80 test SUCCESSFUL
Timestamp:14:23:50 IP:192.0.2.1 : Port:22 test FAILED
Timestamp:14:23:55 IP:192.0.2.1 : Port:443 test SUCCESSFUL
Timestamp:14:24:02 IP:198.51.100.42 : Port:80 test FAILED
Timestamp:14:24:07 IP:198.51.100.42 : Port:22 test FAILED
Timestamp:14:24:12 IP:198.51.100.42 : Port:443 test SUCCESSFUL

Field Descriptions

  • Timestamp: Time in HH:MM:SS format (local system time)
  • IP: The malicious IP address being tested
  • Port: TCP port number (80, 22, or 443 for bad IPs; 80 or 443 for TOR)
  • Status:
    • SUCCESSFUL: Connection established (potentially a security gap)
    • FAILED: Connection blocked or timed out (expected behavior)

Interpreting Results

A successful connection to a known malicious IP indicates:
  • Firewall rules may not be blocking the threat feed
  • IPS/IDS signatures are not preventing the connection
  • The IP may have been removed from blocklists
Action items:
  1. Verify the IP is still on threat intelligence feeds
  2. Check firewall and IPS policies
  3. Review why the connection was allowed
  4. Add the IP to your blocklist if missing
A failed connection is the desired outcome:
  • Firewall is blocking the malicious IP
  • Network timeout occurred (no route to host)
  • IPS dropped the connection attempt
Validation steps:
  1. Check firewall logs for explicit DENY entries
  2. Verify IPS/IDS generated alerts
  3. Confirm SIEM correlated the event

Timestamp Format

All result files use the time.strftime("%X") format, which outputs local time in HH:MM:SS format: 
14:23:45  (2:23:45 PM)
09:15:30  (9:15:30 AM)
23:59:59  (11:59:59 PM)
When correlating Somnium results with security logs, ensure you account for time zone differences between the test system and your security infrastructure.

Analyzing Multiple Test Runs

Since results append to existing files, you can analyze trends over time:
1

Identify test sessions

Look for patterns in timestamps to distinguish different test runs:
# Extract unique timestamps to see test sessions
cat IP_Results.txt | cut -d' ' -f1 | sort -u
2

Compare success rates

Count successful vs failed attempts:
# Count successful connections
grep "SUCCESSFUL" IP_Results.txt | wc -l

# Count failed connections
grep "FAILED" IP_Results.txt | wc -l
3

Identify problematic IPs/URLs

Find which threats are consistently getting through:
# Find IPs that successfully connected
grep "SUCCESSFUL" IP_Results.txt | cut -d' ' -f2 | sort | uniq -c

Best Practices for Result Analysis

After each test:
  1. Note the start and end timestamps
  2. Search your SIEM for events in that timeframe
  3. Verify security controls logged the activity
  4. Document any missing alerts or blocks
Prevent result files from growing too large:
# Archive current results with date
mkdir -p results_archive
DATE=$(date +%Y%m%d_%H%M%S)
mv *_Results.txt results_archive/results_${DATE}/
Track your security posture over time:
  • Document initial test results before tuning
  • Retest after security control changes
  • Measure improvement in block rates
  • Track mean time to detection
Use results to drive security improvements:
  • Show executives quantifiable security gaps
  • Justify budget for security tools
  • Demonstrate effectiveness of recent changes
  • Report compliance validation to auditors

Troubleshooting Result Files

Possible causes:
  • Test was interrupted before completion
  • No write permissions in the directory
  • Exception occurred before any results were written
Solution: Check file permissions and try running as appropriate user.
If legitimate:
  • Your security controls are working perfectly
  • All malicious connections were blocked
If suspicious:
  • Network connectivity issues
  • Firewall blocking all outbound traffic
  • Test system is isolated from internet
Solution: Run a basic connectivity test (ping, curl) to verify network access.
This is a critical security issue:
  • Firewall rules may not be applied
  • IPS/IDS may be in monitor-only mode
  • Threat feeds may not be loaded
  • System may be bypassing security controls
Solution: Immediately review firewall and IPS configurations.

Build docs developers (and LLMs) love

Get started for freeTalk to us