One of my favorite sites is "Malware Traffic Analysis" where the author routinely posts network challenges. In the spirit of contributing to this effort of providing material for analysts to sharpen their skills, I developed a challenge focused around a popular scenario I often come across in research and other analysis efforts. As a heads up, any malware you may come across in the analysis of this PCAP is in fact real malware. Please take care in how you analyze.
When reviewing this PCAP and writing your response please keep in mind what you would really want in an investigation. The questions I ask at the end of this article are intentionally vague, as I didn't want to give too much away with the questions. What I am hoping to see in responses is that the analysts are able to adequately tell a story of what likely occurred, identify network and host indicators that can help further scope this incident, and write detection rules in the detection languages of their choice to find future instances of this activity.
The due date for submissions is September 25, 2016. Enjoy!
Client provides a PCAP involving all traffic they have from a victim Linux server. A snort signature alerted for files downloaded from an HFS server. The client does not have any other context to provide. Other than the following is the Snort Signature that was alerted on:
alert tcp any any -> any any (msg:"HFS [File Download]";flow:to_client,established; content:"HFS 2.";distance:0; content:"HFS_SID="; classtype:suspicious; sid:999999; rev:1;)
- Determine what likely occurred based on the evidence from the PCAP.
- Identify any network and/or host artifacts that could be used to scope this incident further.
- If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity.
Feel free to submit your responses directly to NetChallenge[at]tekdefense.com or comment on this blog post with a link to your own article with a response. I'll review responses, and perhaps give out a few prizes to those with great writeups.