0
I wanted to test security of my android phone so I leaved it for one day running tcpdump in the background.
Then I send resulting pcap to virustotal.com. They are scanning pcap file using snort and suricata.
In the report I have alert for ET MOBILE MALWARE Google Android Device HTTP Request
How can I get more info about packets that triggered the alert? I'm interested mostly in Remote ip but contents will be helpful too- im trying to identify which app triggered the alert etc.
I have a linux mashine to analyze the file further but dont know where to start. I assume if I just run suricata -r my.pcap.
it will give me a same output and nothing more. How to get more details?
I'm not skilled enough to spot suspicious packet by eye or wireshark filters. To refine my question: how to figure out which packets correspond to which suricata/snort alert? for ex. I got
ET MOBILE_MALWARE Google Android Device HTTP Request (Potential Corporate Privacy Violation)
alert from suricata - how to get more details about what from pcap file triggered this alert. As for sending files you're right but I rather trust virustotal.com(it's not some random online service) - any particular reason not too? – Lord_JABA – 2015-05-24T00:42:05.247