We have seen that many users send their PCAPs to VirusTotal, these PCAPs often contain HTTP flows whereby a trojan is downloaded, recording worm scanning sweeps, logging exploits being delivered to a honeymonkey, etc. We want to help those users submitting PCAPs to VirusTotal and improve their research, that is why we have introduced PCAP analysis, its features are:
- Processes the files with popular intrusion detection systems (Snort and Suricata for the moment) and logs the rules that they trigger.
- Extracts file metadata with Wireshark.
- Lists DNS resolutions performed.
- Lists HTTP communication.
- Extracts files seen in the different network flows and links to the pertinent VirusTotal reports if the given file is of an interesting file type (portable executables, PDFs, flash, compressed bundles, etc.). If you are registered in VirusTotal Community and have signed in, these interesting files extracted from the network flow will be available for you to download as long as you are the first submitter of the PCAP (which when dealing with this type of files is the most common situation).
Edited by Alex on Apr 24, 2013 1:45 PM