My key takeaways
- Zeek does not capture whole packets but saves summaries of all conversations it sees to log files
- saves time and space
-
"You wouldn’t normally use Zeek for packet capture, instead you use it for analysis." – Bill Stearn
- Sending a lot more data then recieving might indicate malicious traffic
- use NetworkMiner to reconstruct network packets
- not free, but a free edition
Env
- Provided by Active Countermeasures
- Presenter:
- Hannah Cartier
- Keith Chew
additional links
- http://www.stearns.org/doc/pcap-apps.html
- https://www.activecountermeasures.com/free-tools/passer/
- https://zeek.org/
- https://www.activecountermeasures.com/02-27-2020-acm-webcast-sniffing-traffic-in-amazon-ec2-with-traffic-mirroring/
- https://www.activecountermeasures.com/free-tools/rita/
- https://wildwesthackinfest.com/antisyphon/getting-started-with-packet-decoding-w-chris-brenton/
- https://www.activecountermeasures.com/malware-of-the-day-dnscat2-dns-tunneling/
- packet sanitizer / anonymization
- mess with pings
- sources for good pcaps to analyze for practice
- https://www.malware-traffic-analysis.net/