2015-02-08 - TRAFFIC ANALYSIS EXERCISE

PCAP:

NOTE: ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

FIRST DECISION POINT - YOU DON'T NEED ANY ADDITIONAL INFO.  YOUR SUMMARY IS COMPLETE!

Load the pcap in wireshark.  Hopefully, you've set it up as I've described in my tutorial here.  Use http.request for the filter and see what we've got:

 

A Google search on the domain names will indicate what's going on.  You'll find a submission to malwr.com that shows the same network traffic (under the "Network Analysis" section).  You'll also find a blog entry on TechHelpList.com discussing the same URLs from the pcap.

 

With that information, you might not need the EmergingThreats events generated by running the pcap through Snort or Security Onion:

 

ANSWERS

 

An incident report of the activity should also include a technical details section after the short summary.  It would have all URLs, domains, IP addresses, and other malicious traffic associated with the incident.

 

FIRST DECISION POINT - ALTERNATE CHOICE

 

FINAL NOTES IF YOU CHOSE TO STOP HERE

 

Click here to return to the main page.