Ask Your Question
0

I need help to analyze slammer.pcap

asked 2019-09-01 02:20:51 +0000

updated 2019-09-01 03:39:23 +0000

Guy Harris gravatar image

Hi!

I just want some help or guide to analyze or understand the slammer.pcap exercise file provided by Wireshark page.

Link

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-01 07:13:55 +0000

hackslash gravatar image

post your pcap file , or we dont know what you talking

edit flag offensive delete link more

Comments

Presumably they're referring to the "slammer.pcap" file on the Wireshark Wiki's Sample Captures page. The description of that capture is "Slammer worm sending a DCE RPC packet.". The Web searches I've done show a "Slammer" worm that attacks via SQL, not DCE RPC, so I'm not sure what that packet indicates. It's also not an "exercise" in the sense of, for example, an exercise in a training course.

Guy Harris gravatar imageGuy Harris ( 2019-09-01 07:37:24 +0000 )edit

One way to look at this (under linux at least) would be to use the Snort post-dissector (https://wiki.wireshark.org/Snort) with the emerging-threats rules (https://rules.emergingthreats.net/ope...) and open slammer.pcap. Then, you should see that one or more alerts fired and: - what rule(s) caused the alert(s) to be detected - where in the packet the content or pcre fields were found (and where they occur in the normal dissection) - clickable links to web-pages describing the snort rule and the threat it is thought to represent

This is admittedly be not-straightforward, especially if you are not already familiar with snort, but I am pretty sure I did this for this exact capture file once before.

MartinM gravatar imageMartinM ( 2019-09-02 22:13:14 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-01 02:20:51 +0000

Seen: 878 times

Last updated: Sep 01 '19