[Lab-ThreatHunt] Team PCAP Analysis 1
.docx
keyboard_arrow_up
School
Madison Area Technical College, Madison *
*We aren’t endorsed by this school
Course
804-208
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
9
Uploaded by LavonCN
[Lab-ThreatHunt] Team PCAP Analysis 1
PreLab:
3
Download the required lab files:
3
ToDo:
4
Step 1) Know your Network [Everyone Does This]:
4
Step 2) Analyze Alerts:
4
Question 1) Put your first rule.name here
5
Step 1) Create a Hypothesis:
5
Step 2) Collect some facts about the alert using Hunt:
5
Step 3) Make your list of things that prove/disprove your hypothesis
5
Step 4) Confirm your Hypothesis:
6
Step 5) Write your summary:
6
Question 2) Put Your Second Rule Name Here
7
Step 1) Create a Hypothesis:
7
Step 2) Collect some facts about the alert using Hunt:
7
Step 3) Make your list of things that prove/disprove your hypothesis
7
Step 4) Confirm your Hypothesis:
8
Step 5) Write your summary:
8
Submit your lab in BlackBoard:
9
PreLab:
Make sure to always double check your sha or md5 checksums Download the required lab files:
Note:Credit for the malware sample pcaps goes to ●
https://www.malware-traffic-analysis.net/
1.
Download the file to “
/home/student/LABS/Lab8/
”
○
2018-10-31-traffic-analysis-exercise.pcap.zip
○
2018-10-31-traffic-analysis-exercise.pcap.zip.sha1
2.
Change into your downloads directory
cd /home/student/LABS/Lab8/
3.
Confirm the checksums on each pcap file:
Run “sha1sum” to confirm file integrity of your downloaded files.
sha1sum -c 2018-10-31-traffic-analysis-exercise.pcap.zip.sha1
4.
Extract the zip file:
unzip -P infected 2018-10-31-traffic-analysis-exercise.pcap.zip
5.
Clear all old imports:
sudo clear_all_imports
6.
Import the pcap file into Security Onion
sudo so-import-pcap <file.pcap>
ToDo:
The first step is to understand the layout of the network you are analyzing. Document the layout of the network based on the visibility you have from your pcap file. Step 1) Know your Network [Everyone Does This]:
Note: You can usually figure out this information quickly by loading the pcap file into NetworkMiner Understand the local network:
Document the following:
●
LAN segment range: 10.100.9.x
●
Network: 10.100.9.0
●
Mask: 255.255.255.0
●
Domain: halloweenjob.com
●
Domain Controller: 10.100.9.4
●
Local DNS Server :10.100.9.4
●
LAN segment gateway: 10.100.9.4
●
LAN segment broadcast address: 10.100.9.255
Step 2) Analyze Alerts:
There are 18 individual rules that are fired for this particular pcap file.
●
event.dataset: alert | groupby rule.name
Each team member will analyze two (or more) of the alerts using the process that we used in the previous lab. Note: If there are additional alerts a single team member can analyze it or you can do it as a group.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help