Kali Linux

Wireshark-Forensics-Plugin : A cross-platform Wireshark plugin that correlates network traffic data

Wireshark-Forensics-Plugin is the most widely used network traffic analyzer. It is an important tool for both live traffic analysis & forensic analysis for forensic/malware analysts. Even though Wireshark provides incredibly powerful functionalities for protocol parsing & filtering, it does not provide any contextual information about network endpoints. For a typical analyst, who has to comb through GBs of PCAP files to identify malicious activity, it’s like finding a needle in a haystack.

Wireshark Forensics Toolkit is a cross-platform Wireshark plugin that correlates network traffic data with threat intelligence, asset categorization & vulnerability data to speed up network forensic analysis. It does it by extending Wireshark native search filter functionality to allow filtering based on these additional contextual attributes. It works with both PCAP files and real-time traffic captures.

This toolkit provides the following functionality

  • Loads malicious Indicators CSV exported from Threat Intelligence Platforms like MISP and associates it with each source/destination IP from network traffic
  • Loads asset classification information based on IP-Range to Asset Type mapping which enables filtering incoming/outgoing traffic from a specific type of assets (e.g. filter for ‘Database Server’, ‘Employee Laptop’ etc)
  • Loads exported vulnerability scan information exported from Qualys/Nessus map IP to CVEs.
  • Extends native Wireshark filter functionality to allow filtering based severity, source, asset type & CVE information for each source or destination IP address in network logs

How To Use

  • Download source Zip file or checkout the code
  • Folder data/formatted_reports has 3 files
  • asset_tags.csv : Information about asset ip/domain/cidr and associated tags. Default file has few examples for intranet IPs & DNS servers
  • asset_vulnerabilities.csv : Details about CVE IDs and top CVSS score value for each asset
  • indicators.csv : IOC data with attributes type, value, severity & threat type
  • All 3 files mentioned in step (2) can either be manually edited or vulnerabilities & indicators file can be generated using exported MISP & Tenable Nessus scan report. Need to place exported files under following folders with exact name specified
  • data/raw_reports/misp.csv : this file can be exported from MISP from following location, Export->CSV_Sig->Generate then Download
  • data/raw_reports/nessus.csv : this file can be exported from tenable nessus interface. Goto Scans->Scan Results->Select latest full scan entry. Select Vulnerability Detail List from Dropdown.

Then goto Options->Export as CSV->Select All->Submit. Rename downloaded file as nessus.csv and copy it to raw_reports/nessus.csv

  • If you planning to download data from ThreatStream instead of using MISP, provide username, api_key and filter in config.json file. Each time you run python script, it will try to grab latest IOCs from threatstream & store them in data/formatted_reports/indicators.csv file.
  • Run wft.exe if you are on windows, else run ‘python wft.py’ on Mac or Ubuntu to install and/or replace updated report files. Script will automatically pick up Wireshark Install location. If you have installed wireshark on custom path or using Wireshark Portable App then you can provide location as command line argument. E.g. while using Portable App, location would look something like this ‘C:\Downloads\WiresharkPortable\Data’
  • Post Installation, Open Wireshark & go to Edit->Configuration Profiles and select wireshark forensic toolkit profile. This will enable all additional columns

List of filters available

Note all these options also available for destination, just replace ‘wft.src’ with ‘wft.dst’

  • wft.src.domain (Source Domain Resolution using previous DNS traffic)
  • wft.src.detection (Source IP/Domain detection using IOC data)
  • wft.src.severity (Source IP/Domain detection severity using IOC data)
  • wft.src.threat_type (Source IP/Domain threat type severity using IOC data)
  • wft.src.tags (Source IP/Domain asset tags)
  • wft.src.os (Source IP/Domain operating system specified in vulnerability report)
  • wft.src.cve_ids (Comma separated list of CVE IDS for source IP/Domain)
  • wft.src.top_cvss_score (Top CVSS score among all CVE IDs for a given host)
Download
R K

Leave a Comment
Share
Published by
R K
Tags: Cross-Platformnetwork traffic dataWireshark-Forensics-Plugin
3 years ago

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

3 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

3 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

5 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago