This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on Feb 2016. And the focus is mainly on using Splunk as a SIEM tool to detect the pattern within the log files. This post assumes some basic working knowledge of Splunk , Suricata and Wireshark.
Files can be downloaded from "malware-traffic-analysis.net":
PCAP of the traffic: 2016-02-28-traffic-analysis-exercise.pcap 16.2 MB
ZIP archive the above PCAP: 2016-02-28-traffic-analysis-exercise.pcap.zip 13.4 MB
I have the set-up to run the analysis tool like Suricata, Wireshark and Fidler inside the virtual instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the log-to splunk
Navigate to the suricata folder and run the following command.
Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs
root@brainfold-blackbox:/opt/suricata-3.1.1# suricata -c /opt/suricata-3.1.1/suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2015-02-Nuclear-EK/2015-02-15-traffic-analysis-exercise.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2015-02-Nuclear-EK/
Successful run will have the following information without any error.
<Notice> - This is Suricata version 3.1.1 RELEASE
<Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received. Stopping engine.
<Notice> - Pcap-file module read 3103 packets, 2155330 bytes
Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.
The screenshots are part of single "view" dashboard purpose built for analysing the malicious pcap files (lab purposes). To make it easily identifying , I am using a multi select token where I can search by campaign.
I will share the full xml code with searches in a separate post.
Screenshot showing the Emerging Threats Signature
Event by Category
index="suricata" sourcetype="pcap" source="*$crimename$*" | stats count by event_type
List of Signatures Triggered
index="suricata" sourcetype="pcap" source="*$crimename$*" event_type=alert alert.signature!="\*suricata\*" | stats count by alert.signature | RENAME alert.signature AS "Signatures_Trigerred" | table "Signatures_Trigerred"
List of Notable HTTP Traffic
Two separate requests were made to misspluss[.]hu and www[.]mysecretdeals[.]nl. Followed by subsequent file downloads and connection back to C2. But the former attempt from misspluss[.]hu does not seem to have succeeded (img.zolotcevasunya.info). While the later seem to have successfully communicating backto netmakevitelaoversttelsestidspunkt.timepassion[.]com and then to biocarbon[.]com[.]ec.
index="suricata" sourcetype="pcap" source="*$crimename$*" ("http.http_content_type"="text/html" OR http.http_content_type="*application*") | stats count by http.hostname
index="suricata" sourcetype="pcap" source="*$crimename$*" event_type=http | iplocation src_ip | table timestamp pcap_cnt src_ip dest_ip dest_port http.hostname http.http_content_type http.http_refer http.url
In this lab instance, we have insufficient information coming into Splunk to see the packet level information. Wireshark can come to aide.
HTTP traffic in wireshark
index="suricata" sourcetype="pcap" source="*$crimename$*" fileinfo.filename=* NOT (http.hostname="*google*" OR http.hostname="*facebook*" OR http.hostname="*bing*" OR http.hostname="*youtube*" OR http.hostname="*microsoft*" OR fileinfo.filename="*.js" OR fileinfo.filename="*.css" OR fileinfo.filename="*.eot" OR fileinfo.filename="*.woff" OR fileinfo.filename="/" OR fileinfo.filename="*.jpg" OR fileinfo.filename="*.png" OR fileinfo.filename="*.gif" OR fileinfo.filename="*.woff2") | stats values(fileinfo.filename) AS "Files Downloaded" values(http.http_content_type) AS Content_type by http.hostname src_ip | RENAME http.hostname AS "Malicious Domain"
DNS Traffic :- DNS queries made during this scenario
Further analysis can be done on the infected and compromised to scripts downloaded using network miner or fidler, which is beyond the scope of this post.