This is going to be a more of working notes style of post for various filters I use in WireSkark for different use cases and references to awesome material.
- Potential Flash Malware download:
http.content_type == "application/x-shockwave-flash" - Potential executable download:
frame contains "DOS mode" - Find hostname frames:
nbns.nb_flags.group == 0 - Http Methods:
http.request.method == "POST" - Http Redirects
http.response.code gt 300 && http.response.code lt 400 - Find Usernames in Kerberos tickets:
kerberos.cname_string == 1 - IRC traffic
tcp.port == 6666 || tcp.port == 6667 || tcp.port == 6668 || tcp.port == 6669 - DNS query: dns.qry.name
- Multiple Dns Answers : dns.count.answers gt 5
- Custom Fields:
- http.header.True-Client-IP
- http.header.WL-Proxy-Client-IP
- kerberos.CNameString
Pcap analysis - packettotal, security onion
References:
https://www.wiresharkbook.com/studyguide.html
https://www.wiresharkbook.com/troubleshooting.html
No comments:
Post a Comment