How to get details- like Remote ip- about alert genrated by suricata after scanning pcap file

0

I wanted to test security of my android phone so I leaved it for one day running tcpdump in the background.

Then I send resulting pcap to virustotal.com. They are scanning pcap file using snort and suricata.

In the report I have alert for ET MOBILE MALWARE Google Android Device HTTP Request

How can I get more info about packets that triggered the alert? I'm interested mostly in Remote ip but contents will be helpful too- im trying to identify which app triggered the alert etc.

I have a linux mashine to analyze the file further but dont know where to start. I assume if I just run suricata -r my.pcap. it will give me a same output and nothing more. How to get more details?

Lord_JABA

Posted 2015-05-22T14:21:52.440

Reputation: 99

Answers

0

First off, you shouldn't have sent a PCAP of your phones data to a third party if you're genuinely worried about security. There are plenty of tools there to allow you to do this sort of analysis yourself.

Next up, this should be fairly easy to analyse.

Setup a Filter in NetMon, Wireshark, whatever tool of choice you need and filter on protocol HTTP.. this will get you down to only the relevant traffic type. Take a look at source and destination IPs and you should find it fairly fast.

Another good tool to try is http://www.cs.bham.ac.uk/~tpc/PCAP/

The developer of this tool is extremely highly regarded (opinion, i know!) in his field and having used this tool myself while analysing data flows from my machines, I know it doesn't replicate your data out to him at all.

Fazer87

Posted 2015-05-22T14:21:52.440

Reputation: 11 177

I'm not skilled enough to spot suspicious packet by eye or wireshark filters. To refine my question: how to figure out which packets correspond to which suricata/snort alert? for ex. I got ET MOBILE_MALWARE Google Android Device HTTP Request (Potential Corporate Privacy Violation) alert from suricata - how to get more details about what from pcap file triggered this alert. As for sending files you're right but I rather trust virustotal.com(it's not some random online service) - any particular reason not too? – Lord_JABA – 2015-05-24T00:42:05.247

Asked: 2015-05-22T14:21:52.440

Viewed: 161 times

Active: 2015-05-22T14:30:49.300