2015-01-09 - TRAFFIC ANALYSIS EXERCISE
PCAP AND ANSWERS:
- ZIP of this week's PCAP: 2015-01-09-traffic-analysis-exercise.pcap.zip
- ZIP of this week's answers (PDF file): 2015-01-09-traffic-analysis-exercise-answers.pdf.zip
NOTES:
- ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
- This exercise was meant to be a regular blog entry, so the pcap only includes the exploit kit traffic and chain of events leading to it.
SCENARIO
A Windows host visits a website that kicks off a chain of events leading to an exploit kit.
QUESTIONS
BASIC QUESTIONS:
1) What is the date and time of this activity?
2) What is the IP address and MAC address for the Windows host that hit the exploit kit?
3) What is the domain name and IP address of the compromised web site?
4) What is the domain name and IP address for the exploit kit?
5) What web browser is the Windows host using?
EXTRA QUESTIONS:
1) What is the exploit kit?
2) What type of exploits were sent by this exploit kit? (Flash, IE, Java, Silverlight, etc.)
3) Which HTTP request returned a redirect to the exploit kit?
4) In Wireshark, which tcp.stream contains the malware payload?
5) What snort events (EmergingThreats or VRT/Talos) are generated by this traffic?
6) What version of Flash player is the Windows host using?
