To investigate further, run a query on the original logs (1) and filter by the IP address of 66.32.119.38 (2) to get an idea of the time it occurred.įigure 7 - Running a query for a specific IP address in Squert. Setting up a filterĬlick back to the Events page, and we will apply a filter (1) for the IP address of 66.32.119.38 to see if any events have been logged about this activity.įigure 6 - Squert’s Events page with IP address filter.įrom the output, it certainly does look like an Indicator of Compromise (IoC) because a suspicious file was downloaded from the IP address of 66.32.119.38. We can confirm our hypothesis on the Views page, which uses a Sankey diagram to show the relationships between IP addresses, source economies and destination economies.įrom this diagram, we can see that the IP address of 172.16.150.20 (1) is indeed mainly talking to 58.64.132.141, but there is also a red line showing a relationship with 66.32.119.38. Using this metadata, we can hypothesize that the infected machine has an IP address of 172.16.150.20 and is talking to 58.64.132.141. We can also see that a lot of traffic is originating from an IP address of 172.16.150.20 (2) and that a lot of traffic is going to an IP address of 58.64.132.141 (3). Looking at the summary, we can see straight away that there may be a Command and Control Trojan (CnC) activity in the packet capture file (1). The Summary page (below) shows a list of the top signatures and the top source and destinations via IP address and economy. Click on the Summary (1) tab to get started.įigure 3 - Squert’s Events view, with Summary (1) and Views (2) tabs. By changing the views, the events are displayed in different formats, making it easier to interpret the packets and the metadata. Without knowing too much about the data and events, Squert’s visualization tools will help to identify suspicious sessions or behaviours. When Squert first opens you will see a list of all the events. #Wireshark capture samples series#Squert helps provide additional context to the events through the use of metadata and time series representations. Now that we have imported the packet capture file, let’s look at the alerts that were generated by Snort using Squert, a visualization tool that will query and view event data. To import the fake_av.pcap file, type the following command in a terminal window: $ sudo so-replay fake_av.pcapįigure 2 - Output of the so-replay command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |