Karton-Pcap-Miner is a strong program that quickly pulls network indicators from analysis PCAP files.” It works with MWDB without any problems to add these indicators as attributes, which makes cybersecurity research better. You can use it with complicated network data because it has tools for HTTP, TCP, SNI, and DNS built in. Professionals who want to speed up the processes of network analysis and signal extraction must have this tool.
Extract network indicators from analysis PCAPs and add push them to MWDB as attributes.
Example analysis results in MWDB
apt install tshark
)http://305friend.caesarsgroup.top/_errorpages/305friend/five/fre.php
104.21.1.61:80
305friend.caesarsgroup.top:443
305friend.caesarsgroup.top
The default configuration uses the following configuration. You should modify it to suit your own instance if you’re deploying the services on your own infrastructure.
[pcap-miner]
vm_ip_range=10.0.0.0/8
max_results=24
ignore_list=
Read the karton documentation to learn how to configure services in your own deployment.
Set the vm_ip_range
value to specify the range of IP addresses used by VMs. This is used to detect the outgoing direction in network connections.
Some samples may purposely generate a huge number of TCP/DNS connections. The max_results
configures the maximum number of results reported for a given analyzer. If The number exceeds the configured value, no values are reported at all. Set to -1
to always report all results.
In some cases you don’t really want to report some of the indicators that come up in almost all PCAPs. Things like OCSP, UPNP, telemetry appears very frequently and doesn’t provide any analytic value per se.
You can configure the ignored values for each analyzer using the ignore_list
configuration value. It should point to a JSON file containing the excluded values:
{
"network-http": ["http://239.255.255.250:1900*","http://[FF02::C]:1900*"],
"network-tcp": [],
"network-sni": ["google.com:443"],
"network-dns": ["teredo.ipv6.microsoft.com","isatap","dns.msftncsi.com","wpad"]
}
How Does a Firewall Work Step by Step? What Is a Firewall and How Does…
ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…
Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…
SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…
PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…
HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…