Brad Duncan has a
great writeup over on the SANS Internet Storm Center today. Let's
download Brad's pcap and then analyze it using
so-import-pcap!
sudo so-import-pcap ~/Downloads/2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap
As soon as so-import-pcap completes, we can log into Squert and Kibana to review NIDS alerts and Bro logs. The first three screenshots are from Squert and are thus NIDS alerts only. We then pivot to Kibana where we see not only NIDS alerts but also Bro logs.
|
Squert Views Tab (NIDS Alerts) |
|
Squert Summary Tab (NIDS Alerts) |
|
Squert NIDS Alerts |
|
Kibana Overview Dashboard |
|
Kibana NIDS Dashboard |
|
Kibana Notices Dashboard |
|
Kibana HTTP Dashboard |
|
Pivot to full packet capture to see the full EXE |
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.