PacketSifter is a instrument to carry out batch processing of PCAP information to uncover potential IOCs.
Merely initializePacketSifter together with your desired integrations (VirusTotal, AbuseIPDB) and move PacketSifter a pcap and the specified switches and PacketSifter will sift by the information and generate a number of output information.
Word Please run AbuseIPDBInitial.sh and VTInitial.sh previous to utilizing their corresponding switches or the integrations is not going to work
PacketSifter has been revamped to permit a extra streamlined interplay with the person. Merely obtain the brand new up to date packetsifter.sh, run ./packetsifter -h and discover ways to correctly use the brand new PacketSifter!
Ross Burke (Twitter @packetsifter)
The way it works
Merely move PacketSifter your pcap to investigate alongside together with your desired flags and let PacketSifter do the be just right for you!
[email protected]:~# ./packetsifter -i /tmp/testing.pcap -a -r -v
Command Line Choices
- -a allow abuseipdb lookups of IP addresses in DNS A information
- -h print assist
- -i enter file [Required]
- -r resolve hostnames in pcap [Can result in DNS queries to attacker infrastructure]
- -v allow VirusTotal lookup of exported SMB/HTTP objects
tshark – https://tshark.dev/setup/install/
Presently, PacketSifter generates the next pcaps:
- http.pcap – All conversations containing port 80, 8080, or 8000
- smb.pcap – All conversations categorized by tshark dissectors as NBSS, SMB, or SMB2
- dns.pcap – All conversations categorized by tshark dissectors as DNS
- ftp.pcap – All conversations categorized by tshark dissectors as FTP
Presently, PacketSifter generates the next textual content information:
- IOstatistics.txt – Protocol Hierarchy and Enter/Output damaged up in 30 second intervals (helpful to search out potential beaconing)
- IPstatistics.txt – General stats to/from endpoints over IP and particular person conversations over IP
- TCPstatistics – General stats to/from endpoints over TCP and particular person TCP conversations damaged down. <> This file can include a considerable amount of data. It’s endorsed to make use of much less or grep for a dialog in query.
- http_info.txt – Statistical information about HTTP conversations
- hostnamesResolved.txt (non-compulsory) – Resolved hostnames noticed in pcap. <> This may end up in DNS queries for attacker infrastructure. Proceed with warning!!
- SMBstatistics.txt – Stats on instructions ran utilizing smb or smb2
- dnsARecords.txt – DNS A question/responses
- dnsTXTRecords.txt – DNS TXT question/responses
- errors.txt – trash file
VirusTotal Integration output textual content information (all non-compulsory):
- httpHashToObject.txt – Textual content file containing md5 hash to object pairing for reference
- httpVTResults.txt – Textual content file containing outcomes of md5 hash lookup of http objects through VirusTotal API
- smbHashToObject.txt – Textual content file containing md5 hash to object pairing for reference
- smbVTResults.txt – Textual content file containing outcomes of md5 hash lookup of smb objects through VirusTotal API
AbuseIPDB Integration output textual content information (non-compulsory):
- IPLookupResults.txt – Textual content file containing IP Geo-location + IP status outcomes
Presently, PacketSifter generates the next tar.gz information:
- httpObjects.tar.gz – HTTP objects noticed in pcap. <> There might be a variety of HTTP objects and you’ll probably extract malicious http objects relying on the pcap. Use with warning!!
- smbObjects.tar.gz – SMB objects noticed in pcap. There might be a variety of SMB objects and you’ll probably extract malicious SMB objects relying on the pcap. Use with warning!!