Ask Your Question
0

Determine if python code was sent through port 80

asked 2019-03-08 15:23:46 +0000

johnny101 gravatar image

updated 2019-03-08 15:33:41 +0000

Hello,

I'm looking at a pcap where a connection was made through port 80 using http protocol. I plan on writing a snort rule that checks to see if a python script was sent in the contents of a packet rather than regular html (or anything to display a webpage). Is there any way I can determine if a script was sent without completely analyzing the contents of a packet manually? I would rather not use machine learning for this so I'm wondering if there a discrete way I can figure out if a script was sent.

The reason why I want to do this is to see if attackers are sending commands to malware through this port.

Thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-03-11 14:48:43 +0000

Kurt Knochner gravatar image

You could search for typical python code statements with Wireshark filters, like

http contains "import"  
http contains "import sys"

or any other python statement you can think of.

Regards
Kurt

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-03-08 15:23:46 +0000

Seen: 317 times

Last updated: Mar 11 '19