I've been going through this malware traffic analysis exercises and part of the malicious traffic detected is IRC traffic over non-standard port 443. This is picked up by ET Snort rule sid:2000348; rev:15
The content of the rule is
"JOIN "; nocase; depth:5; pcre:"/&|#|+|!/R"
How would I find this IRC JOIN command if I was to analyze the pcap using Wireshark? Is there a way that I can search the entire pcap for the string "JOIN"? Does Wireshark support using regex like the above Snort rule?
One solution would be to use a utility such as ngrep(http://ngrep.sourceforge.net/usage.html) and pass it the .pcap file along with a regular expression.
EX: ngrep -q -I file.pcap|grep -i user
An example of this can be found on the web HERE
Snippet from trustwave.com
5) Search for text strings using ngrep
This is useful to look for any specific string or regex you want e.g look for "password", "card","username" etc....This will normally find FTP, HTTP, or POP passwords as examples. Although this is a simple example, ngrep can be used for complex regex's.
ngrep -q -I file.pcap|grep -i user
e.g
..........< TRUNCATED>..........
en" id="secure_username" name="username" value="" />......
..........< TRUNCATED>..........
6) Find emails using ngrep ...
What regex to use:
I would encourage learning how to craft regular expressions if you haven't already as they are very useful.
(Not tested): ~JOIN
EDIT: If you must use wireshark and not ngrep then I believe wireshark uses perl style regular expressions
