I guess none of this really answers your question on what tool to use but if you are only allowed to use snort or wireshark then I would use both because they are both able to give you different information from the pcap. The main benefit i've found is that it will give you a nice web interface to look at. If you were to download a security onion vm it will have BRO, and elastic stack which you can replay the pcaps in and get some useful information. I would specifically check out frequent communications on port 80 or 443 since those are generally open and therefore malware will often communicate over them.Īnother tool that you could look at that I have used a decent amount is BRO (Name was changed to Zeek apparently). This is because malware will typically communicate with a command and control (C&C) server regularly to receive commands on what to do. So something that I usually look for when analyzing pcap's that I think have malware in them is to look for connections that are being open frequently (every few seconds).
0 kommentar(er)
