CapTipper is another sweet, python based analysis tool that takes a pcap of the malicious traffic and parses out all sorts of useful information about it, like info on the client and server, conversations, hexdumps, iframes and more. You can also open the response up in your own browser and see what came down using the aptly named "open" command. gzip decompression is included which is a very nice feature. If you do much intrusion analysis at all, you know how much of the content you need to inspect is gzipped these days.
You can find Omri's blog post on the tool at:
http://www.omriher.com/2015/01/captipper-malicious-http-traffic.html
and find the Github page at:
https://github.com/omriher/CapTipper.
No comments:
Post a Comment