From bdbbeb45eb5822209ce49e39abcc9505c4cb31fa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 10 Jan 2015 22:28:06 +0100 Subject: [PATCH] Basic HOWTO added --- README.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 67e6e3a..2e0cc9b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,29 @@ # Malware Classifier From Network Capture -*Malware Classifier* is a simple free software project done during an [university workshop of 4 hours](http://www.foo.be/cours/dess-20142015/Redis-Introduction.pdf). The objective of the 4 hours workshop was to introduce network forensic and simple techniques to classify malware network capture (from their execution in a virtual machine). So the software was kept very simple while using and learning existing tools (networkx, redis and Gephi). +*Malware Classifier* is a simple free software project done during an [university workshop of 4 hours](http://www.foo.be/cours/dess-20142015/Redis-Introduction.pdf). The objective of the 4 hours workshop was to introduce network forensic and simple techniques to classify malware network capture (from their execution in a virtual machine). So the software was kept very simple while using and learning existing tools ([networkx](https://networkx.github.io/), [redis](http://www.redis.io/) and [Gephi](http://gephi.github.io/)). + +# How to use the Malware Classifier + +You'll need of a set of network packet captures. In the workshop, we used a dataset with more than 5000 pcap files generated from the execution of malware in virtual machines. + +``` +... +0580c82f6f90b75fcf81fd3ac779ae84.pcap +05a0f4f7a72f04bda62e3a6c92970f6e.pcap +05b4a945e5f1f7675c19b74748fd30d1.pcap +05b57374486ce8a5ce33d3b7d6c9ba48.pcap +05bbddc8edac3615754f93139cf11674.pcap +... +``` + +The filename includes the MD5 malware executed in the virtual machine. + +If you want to classify malware communications based on the Server HTTP headers of the (potential) C&C communication. + +```shell +cd capture +ls -1 . | parallel --gnu "cat {1} | tshark -E header=yes -E separator=, -Tfields -e http.server -r {1} | python ./bin/import.py -f {1} " +``` ## Notes for the student