In Security Onion 2.3.60, we added the ability to select a small section of text in the SOC PCAP interface and then send that selected text to CyberChef (for example, you might select a base64 encoded string and send it to CyberChef to decode it).
But we didn't stop there!
One of the great new features in Security Onion 2.3.70 is the ability to quickly and easily send the entire PCAP transcript to CyberChef which allows you to do file extraction or other analysis.
For example, suppose you are looking at an interesting HTTP file download in our SOC PCAP interface and want to extract the file.
Click the CyberChef button on the right side of the table header.
CyberChef will launch in a new tab. It will then show the hexdump in the Input box, automatically apply the "From Hexdump" recipe, and show the HTTP transcript in the Output box.
You may want to apply an operation from the left column. One option is to use the "Extract Files" operation. If you choose this option, you may want to specify certain file types for extraction. In this case, let's instead remove the client HTTP headers using the "Strip HTTP headers" operation.
If a magic wand appears in the Output box, then CyberChef has detected some applicable operations and you can click the magic wand to automatically apply those operations. Here, CyberChef is automatically applying "Strip HTTP headers" again to remove the web server HTTP headers and then rendering the actual PNG image.
For more information, please see our PCAP and CyberChef documentation.
Of course, you can also extract files using Wireshark or NetworkMiner, but it's good to have options!