I am currently working on a machine learning module to detect Operating Systems based on existing packet traffic in pcap file format. So far, I have generated some traffic of popular Operating Systems available. However, this process is very tedious.
I would like to know if there is any publicly available pcap files that associates data generated from a particular Operating System (e.g. pcap file that have a lot of traffic from Windows XP). I am aware that there are other similar questions asked regarding publicly available pcap files, however none of them seem to be focused on Operating Systems.
I am currently trying to setup my own little SIEM, but cannot seem to transfer the files how I want them.
I am capturing the data with tshark:
tshark -i eth0 -T ek > cap.pcap.json
This outputs a json file that is suited for ElasticSearch.
I have (at least I think so) managed to upload the data to my ElasticSearch by using curl.
curl -H "Content-Type: application/json" -XPOST "localhost:9200/_bulk?pretty" --data-binary @cap.pcap.json
This seems to work, I get an output (json) at the console that shows me where the data is located in Elastic-Search (_index,_type,_version, _shards, …).
But here, I am stuck. I’d like to import the data to Kibana (full ELK-Stack is installed), but cannot seem to find the right setting anywhere…
At the Dashboard (kibana), it is possible to “Add Data to Kibana” for a SIEM, but I don’t find a JSON option, “merely” zeek and auditbeat (…). Can anyone help me or point me to a site where it is explained. I searched, but found just things like: And once you have it in Elastic-Search, it is in Kibana…
I am trying to develop a ML model and need to have a good pcap dataset which contain malicious traffic and normal traffic.
Is there any place that I am able to get hold of this kind of dataset?
I get this error when using snort with -r option to read a saved pcap file and apply snort rules on it.
ERROR : pfring daq does not support read-file
I am running snort in Security Onion
I tried many things
sudo snort -i ens34 -c /etc/nsm/templates/snort/snort.conf -r pcap.pcap
I am trying to pass good reputable malicious traffic from an IPS. There are several sources on internet to explore datasets like the oldest I think DARPA set (not available in pcap format and not that efficient for modern day use ) or NSL-KDD dataset etc. Here is a good link I found about options that I can look into. However none of them has dataset available in pcap format. Is there any reputable dataset available in PCAP or TCPDUMP or convertable to PCAP?
I want to run a c++ program that use pcap as no root.
Because it isn’t possible to run it as sudo.
I found this possible solution.
I executed the commands:
sudo chgrp pcap /usr/sbin/tcpdump sudo chmod 750 /usr/sbin/tcpdump
This is my result:
-rwxr-x--- 1 root pcap 1138288 ä¹� 13 2017 /usr/sbin/tcpdump*
gives this as result:
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
But I still get the error:
Could not open enp4s0 - enp4s0: You don't have permission to capture on that device (socket: Operation not permitted)
I have a pcap file from CICIDS , and what I wanted to know is how can I apply the Snortrule in windows. I have not written any custom rules myself but want to run the rules already available . For now snort.rules file is empty.
I am diving into snort and trying to figure out what everything does but I’m having a little trouble. I have a .pcap file I want to analyse and I know there is malicious c&c traffic on it. (Practice exercise for an online course)
The goal of the exercise is to write a snort rule(s) that is not restricted by IP address or port number (source or destination) to detect the c&c traffic.
What should I be looking for in the .pcap file to base my rules off of? (if possible please provide plenty of details in this area) Are there any specific options I should almost always include in my snort rule and why? I also want to try to mitigate false positives as well because the file is rather large and there are only a handful of malicious connections in it.
Full disclosure I am front end developer with hardly any knowledge of security trying to complete a security challenge. All info below I picked up in the last 12 hours so if it doesn’t make sense feel free to correct me. Lastly I don’t consider this cheating because I am not doing the challenge to get a job I was just bored tonight, but it’s 5.30am and I refuse to be beaten.
So far I have this :
The file is a pcap file I can open this pcap file in wireshark and see the TLS handshake Somehow I am meant to be able to decrypt the application data by generating a private key using the information about the cipher and other info in ‘Server Hello’ packet
I have only found 1 blogpost on how to do something similar, I am thinking that being in a security challenge this must be a common type of attack. Does this have a name and can anybody shed some light on how to go about this?