Discover and read the best of Twitter Threads about #pcap

Most recents (4)

So you got an Intel AX210 adapter installed on your Linux computer and are ready to start capturing Wi-Fi traffic on 6 GHz, except that it doesn't work. Here's what you should know. 🧡
First, you need to be running Linux kernel 5.10 or newer. Intel drivers (iwlwifi) are part of the upstream Linux kernel. Intel introduced support for the AX210 adapter (and 6 GHz) in version 5.10.
Second, if using iw for managing the Wi-Fi interface, make sure you install iw 5.9 or newer. Older versions of iw implemented some initial support for 6 GHz but used a channel numbering scheme that was later abandoned, with channels 191, 195, etc.
Read 13 tweets
(1/of a few) Doing some training #threathunting runs with #suricata -with pcap from bit.ly/3jNUCyw
Fun fact: Alerts count only for 8% of the total logs produced - we also have protocol logs like Flow records, KRB5, SMB, DNS, TLS, HTTP, DCERPC,Fileinfo Image
(2/of a few)
Just as regular protocol and flow logging of #Suricata gives us:

633 FLOW logs
295 HTTP logs
182 TLS logs
130 DNS logs
114 SMB logs
90 DCERPC logs
66 FILEINFO logs
23 KRB5 logs
2 NTP logs

Let's see some examples of the generated data...
(3/of a few)
Quick and dirty cmd look at the DNS logs generated by #Suricata gives us the domain list for our #threathunting review
Couple of those jump out (at lest to me) Image
Read 17 tweets
2020-07-16 - #Hancitor URL from (I assume) malspam:

hxxp://dunafacility[.]partners/wp-includes/tannerbaum.php

XLS: app.any.run/tasks/ab9808d6…

DLL: app.any.run/tasks/4e4a8162…

Follow-up malware: app.any.run/tasks/d94c1428…
2020-07-16 - #Hancitor info:

Paste: pastebin.com/s5iRrWRj

Pastebin raw: pastebin.com/raw/s5iRrWRj

Blog with #pcap and other data: malware-traffic-analysis.net/2020/07/16/ind…

If anyone knows what the follow-up malware is, let us all know. I don't recognize it.
Read 3 tweets
🚨 New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
β€’ ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ πŸ‘€
β€’ @snort 🐷 #detection tricks (negative distance, exploitation flowbits)
πŸ‘‰πŸ”— fireeye.com/blog/products-…
β€’ #DFIR tips ‡️ ImageImage
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-…

Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Gr33tz to all the cool people who have published helpful research that we linked to in the blog: @craigtweets & @TripwireInc, @HackingDave & @TrustedSec, @sans_isc, @x1sec, and sorta @mpgn_x64 πŸ˜…

As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 πŸ™‡πŸ½β€β™‚οΈ
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!