behavioral based traffic analysis

BlackBox [Ransetsu]
7 years ago

0

anybody have any suggested resources on this topic. i’m trying to find pcap examples of malicious or suspicious traffic, but they are a bit hard to come across and are usually sprinkled in write ups and white papers.

so far i’m alerting on different types of redirects coupled with url changes that contain an abnormally large amount of sub domains (subdomain.subdomain.subdomain.legitsite.com) apparent random strings (this is typical of exploit kits that deliver ransomware and banking trojans) eg. HKJHSADdkjhdhweU87kHj234.biz <–made up example, abnormal amounts of DNS and NTP traffic, dns data exfiltration KJDkfdjfweklDKJFF8efLKJDFkjw.someurl.com, bad, suspicious, or lack of user agent information in http headers, packets with abnormal flags such as having both the SYN,FIN, and PUSH flag thrown.

and suggestions or resources you find helpful would be much appreciated. not so much interested in signature based analysis.

0replies
1voice
167views
You must be logged in to reply to this discussion. Login
1 of 1

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss