Malicious pcap extraction with docker|bro|tshark|suricata
I thought I would share my dockerfile that contains:
- suricata; and
Link to Github: https://github.com/MrThreat/suricata_the_tshark_bro
This setup can give your a quick file extraction and platform for pcap analysis.
Example commands that can be used are:
(there are near unlimited examples, but…)
File extraction from pcaps:
- bro -C -r *.pcap /usr/share/bro/site/file-extraction/scripts/plugins/extract-all-files.bro
Identifying malicious actions within pcaps:
- suricata -c /etc/suricata/suricata.yaml -r *.pcap && cat /var/log/suricata/fast.log
Identifying dns responces within pcaps:
- tshark -r *pcap -T fields -e dns.qry.name “dns.flags.response == 0x8180” |sort -u
Also if you need help or anything, been doing this too long haha drop me a message or @grotezinfosec
Sweet thanks for the share!!
You know, https://malware-traffic-analysis.com is also good for learning about this.
I like this docker thanks!