I tried to download malware pcap on ubuntu VM in microsoft azure from the putty but it is not allowing me to do so .It gives following output: 2016-12-17-traffic-analysis-exercise.pcap.zip: Permission denied Cannot write to ‘2016-12-17-traffic-analysis-exercise.pcap.zip’
can someone please tell me how can we download malware pcap in ubuntu VM in microsoft azure?
Is there any chance of local PC getting infected when you analyse PCAP malware file in cloud server through putty?I want to run pcap malware to test snort in my cloud server.I want to know on doing so if it will affect my local machine.
I am currently working on a machine learning module to detect Operating Systems based on existing packet traffic in pcap file format. So far, I have generated some traffic of popular Operating Systems available. However, this process is very tedious.
I would like to know if there is any publicly available pcap files that associates data generated from a particular Operating System (e.g. pcap file that have a lot of traffic from Windows XP). I am aware that there are other similar questions asked regarding publicly available pcap files, however none of them seem to be focused on Operating Systems.
I am currently trying to setup my own little SIEM, but cannot seem to transfer the files how I want them.
I am capturing the data with tshark:
tshark -i eth0 -T ek > cap.pcap.json
This outputs a json file that is suited for ElasticSearch.
I have (at least I think so) managed to upload the data to my ElasticSearch by using curl.
curl -H "Content-Type: application/json" -XPOST "localhost:9200/_bulk?pretty" --data-binary @cap.pcap.json
This seems to work, I get an output (json) at the console that shows me where the data is located in Elastic-Search (_index,_type,_version, _shards, …).
But here, I am stuck. I’d like to import the data to Kibana (full ELK-Stack is installed), but cannot seem to find the right setting anywhere…
At the Dashboard (kibana), it is possible to “Add Data to Kibana” for a SIEM, but I don’t find a JSON option, “merely” zeek and auditbeat (…). Can anyone help me or point me to a site where it is explained. I searched, but found just things like: And once you have it in Elastic-Search, it is in Kibana…
I am trying to develop a ML model and need to have a good pcap dataset which contain malicious traffic and normal traffic.
Is there any place that I am able to get hold of this kind of dataset?
I get this error when using snort with -r option to read a saved pcap file and apply snort rules on it.
ERROR : pfring daq does not support read-file
I am running snort in Security Onion
I tried many things
sudo snort -i ens34 -c /etc/nsm/templates/snort/snort.conf -r pcap.pcap
I am trying to pass good reputable malicious traffic from an IPS. There are several sources on internet to explore datasets like the oldest I think DARPA set (not available in pcap format and not that efficient for modern day use ) or NSL-KDD dataset etc. Here is a good link I found about options that I can look into. However none of them has dataset available in pcap format. Is there any reputable dataset available in PCAP or TCPDUMP or convertable to PCAP?
I want to run a c++ program that use pcap as no root.
Because it isn’t possible to run it as sudo.
I found this possible solution.
I executed the commands:
sudo chgrp pcap /usr/sbin/tcpdump sudo chmod 750 /usr/sbin/tcpdump
This is my result:
-rwxr-x--- 1 root pcap 1138288 ä¹� 13 2017 /usr/sbin/tcpdump*
gives this as result:
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
But I still get the error:
Could not open enp4s0 - enp4s0: You don't have permission to capture on that device (socket: Operation not permitted)
I have a pcap file from CICIDS , and what I wanted to know is how can I apply the Snortrule in windows. I have not written any custom rules myself but want to run the rules already available . For now snort.rules file is empty.
I am diving into snort and trying to figure out what everything does but I’m having a little trouble. I have a .pcap file I want to analyse and I know there is malicious c&c traffic on it. (Practice exercise for an online course)
The goal of the exercise is to write a snort rule(s) that is not restricted by IP address or port number (source or destination) to detect the c&c traffic.
What should I be looking for in the .pcap file to base my rules off of? (if possible please provide plenty of details in this area) Are there any specific options I should almost always include in my snort rule and why? I also want to try to mitigate false positives as well because the file is rather large and there are only a handful of malicious connections in it.