Special thanks to Brad at malware-traffic-analysis.net (http://www.malware-traffic-analysis.net/index.html), we used his examples for the October meeting. His site is an excellent resource for learning. He also posts updates and other malware related info on his twitter @malware_traffic.

Here is the traffic we walked through: http://www.malware-traffic-analysis.net/2016/05/13/index.html

And here is the solution: http://www.malware-traffic-analysis.net/2016/05/13/page2.html

To use Security Onion to analyze the traffic you can get the Security Onion ISO here and install it in a VM: https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md

Here is how to replay the traffic in Security Onion for analysis:

We also had some discussion on how to identify what different types of files really are, regardless of what the extension is; and also how you can carve them out of traffic streams using hex editors. To determine file types you use the “Magic Bytes”:  https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/

Here are some resources on ways to extract files (file carving) from pcaps:

• SANS paper on file extraction using different tools: https://www.sans.org/reading-room/whitepapers/tools/extracting-files-network-packet-captures-36562
• Some more info on some of the same tools in the paper above: http://www.behindthefirewalls.com/2014/01/extracting-files-from-network-traffic-pcap.html
• Carving using hex editors: https://www.security-sleuth.com/sleuth-blog/2015/4/18/the-perks-of-being-a-file-carver-1
• Carving SMB and SMB2: http://chrissanders.org/2011/11/packet-carving-with-smb-and-smb2/
• Carving with Wireshark: https://malwerewolf.com/2014/04/wireshark-primer-manual-carve-http-objects/

We talked about some quick ways to get info on IPs and domains when researching potential incidents. Here is a quick hit list:

• centralops.net
• censys.io
• urlquery.net
• malwr.com
• www.hybrid-analysis.com
• virustotal.com