Publicly Available PCAP dumps that associate IP addresses with Operating System?

I am currently working on a machine learning module to detect Operating Systems based on existing packet traffic in pcap file format. So far, I have generated some traffic of popular Operating Systems available. However, this process is very tedious.

I would like to know if there is any publicly available pcap files that associates data generated from a particular Operating System (e.g. pcap file that have a lot of traffic from Windows XP). I am aware that there are other similar questions asked regarding publicly available pcap files, however none of them seem to be focused on Operating Systems.

Thank you.

How to import json (pcap) data from TShark to Elasticsearch and Kibana [closed]

I am currently trying to setup my own little SIEM, but cannot seem to transfer the files how I want them.

I am capturing the data with tshark:

tshark -i eth0 -T ek > cap.pcap.json 

This outputs a json file that is suited for ElasticSearch.

I have (at least I think so) managed to upload the data to my ElasticSearch by using curl.

curl -H "Content-Type: application/json" -XPOST "localhost:9200/_bulk?pretty" --data-binary @cap.pcap.json 

This seems to work, I get an output (json) at the console that shows me where the data is located in Elastic-Search (_index,_type,_version, _shards, …).

But here, I am stuck. I’d like to import the data to Kibana (full ELK-Stack is installed), but cannot seem to find the right setting anywhere…

At the Dashboard (kibana), it is possible to “Add Data to Kibana” for a SIEM, but I don’t find a JSON option, “merely” zeek and auditbeat (…). Can anyone help me or point me to a site where it is explained. I searched, but found just things like: And once you have it in Elastic-Search, it is in Kibana…

Thanks!

Public Availability of a good Dataset in PCAP (TCPDUMP) format for IDS/IPS testing

I am trying to pass good reputable malicious traffic from an IPS. There are several sources on internet to explore datasets like the oldest I think DARPA set (not available in pcap format and not that efficient for modern day use ) or NSL-KDD dataset etc. Here is a good link I found about options that I can look into. However none of them has dataset available in pcap format. Is there any reputable dataset available in PCAP or TCPDUMP or convertable to PCAP?

Thank you.

PCAP persmission problems

I want to run a c++ program that use pcap as no root.

Because it isn’t possible to run it as sudo.

I found this possible solution.

I executed the commands:

sudo chgrp pcap /usr/sbin/tcpdump sudo chmod 750 /usr/sbin/tcpdump 

This is my result:

-rwxr-x--- 1 root pcap 1138288  �  13  2017 /usr/sbin/tcpdump* 

This command: getcap /usr/sbin/tcpdump

gives this as result:

/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep

But I still get the error:

Could not open enp4s0 - enp4s0: You don't have permission to capture on that device (socket: Operation not permitted) 

How to analyze .pcap file to write a generic snort rule to detect c&c activity

I am diving into snort and trying to figure out what everything does but I’m having a little trouble. I have a .pcap file I want to analyse and I know there is malicious c&c traffic on it. (Practice exercise for an online course)

The goal of the exercise is to write a snort rule(s) that is not restricted by IP address or port number (source or destination) to detect the c&c traffic.

What should I be looking for in the .pcap file to base my rules off of? (if possible please provide plenty of details in this area) Are there any specific options I should almost always include in my snort rule and why? I also want to try to mitigate false positives as well because the file is rather large and there are only a handful of malicious connections in it.

Decrypting application data from pcap

Full disclosure I am front end developer with hardly any knowledge of security trying to complete a security challenge. All info below I picked up in the last 12 hours so if it doesn’t make sense feel free to correct me. Lastly I don’t consider this cheating because I am not doing the challenge to get a job I was just bored tonight, but it’s 5.30am and I refuse to be beaten.

So far I have this :

The file is a pcap file I can open this pcap file in wireshark and see the TLS handshake Somehow I am meant to be able to decrypt the application data by generating a private key using the information about the cipher and other info in ‘Server Hello’ packet

I have only found 1 blogpost on how to do something similar, I am thinking that being in a security challenge this must be a common type of attack. Does this have a name and can anybody shed some light on how to go about this?