2015-05-08 - TRAFFIC ANALYSIS EXERCISE
- PCAP of the traffic: 2015-05-08-traffic-analysis-exercise.pcap.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
The image below shows the traffic in Wireshark. As always, I recommend changing the default column display in Wireshark as covered in this tutorial: http://malware-traffic-analysis.net/tutorials/wireshark/index.html
You've documented the traffic, and now it's time to state what happened. A full analysis should include Snort events (or any other alerts) you've been able to generate from the pcap (from reading it with Snort or using tcpreplay in Security Onion). You should also be able to extract a malware sample from the pcap and submit it to Virus Total.
- Click here to see the final answer page.