-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Expand file tree
/
Copy pathPcapMinerV2.yml
More file actions
375 lines (375 loc) · 11.9 KB
/
PcapMinerV2.yml
File metadata and controls
375 lines (375 loc) · 11.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
args:
- description: The entry_id of the PCAP file to mine.
name: entry_id
required: true
- auto: PREDEFINED
description: A comma-separated list of protocols to output as context. If empty, will not output any protocols to context.
isArray: true
name: protocol_output
predefined:
- HTTP
- DNS
- LLMNR
- SYSLOG
- SMTP
- NETBIOS
- ICMP
- KERBEROS
- TELNET
- SSH
- IRC
- FTP
- SMB2
- All
- auto: PREDEFINED
description: Whether to extract IP, URL, and Email from PCAP file. Can be "True" or "False".
name: extract_strings
predefined:
- 'True'
- 'False'
- description: 'Filter to apply on PCAP. Wireshark syntax as can be found here: https://www.wireshark.org/docs/man-pages/wireshark-filter.html'
name: pcap_filter
- description: Your own regular expression to extract from the PCAP.
name: custom_regex
- description: The name of the PCAP file to save to the War Room after applying the `pcap_filter` (i.e. `filtered_file.pcap`).
name: filtered_file_name
- description: The entry ID for the RSA decryption key.
name: rsa_decrypt_key_entry_id
- defaultValue: '15'
description: Number of conversations to display. The default is 15.
name: convs_to_display
- description: The WPA password. By providing the password you will be able to decrypt encrypted traffic data.
name: wpa_password
- auto: PREDEFINED
defaultValue: 'False'
description: Output to context the source and destination IPs in the PCAP file. Can be "True" or "False". The default is "False".
name: extract_ips
predefined:
- 'True'
- 'False'
comment: |-
PcapMIner V2 allows to parse PCAP files by displaying the all of the relevant data within including ip addresses, ports, flows, specific protocol breakdown, searching by regex, decrypting encrypted traffic and more.
This automation takes about a minute to process 20,000 packets (which is approximately 10MB). If you want to mine large files you can either:
a) Use the `pcap_filter` parameter to filter your PCAP file and thus make is smaller.
b) Copy the automation and change the `default timeout` parameter to match your needs.
commonfields:
id: PcapMinerV2
version: -1
enabled: true
name: PcapMinerV2
outputs:
- contextPath: PCAPResults.Bytes
description: The number of bytes transmitted in the PCAP file.
type: Number
- contextPath: PCAPResults.Packets
description: The number of packets transmitted in the PCAP file.
type: Number
- contextPath: PCAPResults.EntryID
description: The entryID of the PCAP file.
type: String
- contextPath: PCAPResults.StreamCount
description: The number of streams in the PCAP file.
type: String
- contextPath: PCAPResults.StartTime
description: The date and time of the first packet in the PCAP file.
type: Date
- contextPath: PCAPResults.EndTime
description: The date and time of the last packet in the PCAP file.
type: String
- contextPath: PCAPResults.UniqueSourceIP
description: The number of unique IPs from which packets were transmitted.
type: Number
- contextPath: PCAPResults.UniqueDestIP
description: The number of unique IPs from to packets were transmitted.
type: Number
- contextPath: PCAPResultsFlow.Bytes
description: The number of bytes transmitted in the flow.
type: String
- contextPath: PCAPResultsFlow.DestIP
description: The destination IP of the flow.
type: String
- contextPath: PCAPResultsFlow.Transport
description: The transport protocol of the flow.
type: String
- contextPath: PCAPResultsFlow.SourceIP
description: The source IP of the flow.
type: String
- contextPath: PCAPResultsFlow.SourcePort
description: The source port of the flow.
type: String
- contextPath: PCAPResultsFlow.DestPort
description: The destination port of the flow.
type: String
- contextPath: PCAPResultsFlow.Duration
description: The duration of the flow (in seconds).
type: String
- contextPath: PCAPResultsFlow.EndTime
description: The date/time the flow ended.
type: Date
- contextPath: PCAPResultsFlow.StartTime
description: The date/time the flow started.
type: Date
- contextPath: PCAPResults.URL
description: The URLs extracted from the file.
type: String
- contextPath: PCAPResults.IP
description: The IPs extracted from the file.
type: String
- contextPath: PCAPResults.Email
description: The emails extracted from the file.
type: String
- contextPath: PCAPResults.Regex
description: The regular expressions specified in `extract_regex` extracted from the file.
type: String
- contextPath: PCAPResultsHTTP.ResponseStatusCode
description: The response code.
type: String
- contextPath: PCAPResultsHTTP.RequestVersion
description: The request version.
type: String
- contextPath: PCAPResultsHTTP.RequestCacheControl
description: The cache control of the request.
type: String
- contextPath: PCAPResultsHTTP.ResponseDate
description: The date/time of the response.
type: Date
- contextPath: PCAPResultsHTTP.RequestMethod
description: The request method.
type: String
- contextPath: PCAPResultsHTTP.RequestSourceIP
description: The source IP of the request.
type: String
- contextPath: PCAPResultsHTTP.ResponseContentType
description: The response content type.
type: String
- contextPath: PCAPResultsHTTP.RequestAgent
description: The request agent.
type: String
- contextPath: PCAPResultsHTTP.RequestHost
description: The request host.
type: String
- contextPath: PCAPResultsHTTP.ResponseVersion
description: The response version.
type: String
- contextPath: PCAPResultsHTTP.ID
description: The ID of the HTTP interaction.
type: String
- contextPath: PCAPResultsHTTP.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsHTTP.RequestURI
description: The request URI.
type: String
- contextPath: PCAPResultsHTTP.ResponseContentLength
description: The length of the response content.
type: String
- contextPath: PCAPResultsHTTP.ResponseCodeDesc
description: The code description of the response.
type: String
- contextPath: PCAPResultsDNS.ID
description: The ID of the DNS request.
type: String
- contextPath: PCAPResultsDNS.Request
description: The DNS request.
type: String
- contextPath: PCAPResultsDNS.Response
description: The DNS response.
type: String
- contextPath: PCAPResultsDNS.Type
description: The type of the DNS request.
type: String
- contextPath: PCAPResultsDNS.ID
description: The DNS packet ID.
type: String
- contextPath: PCAPResultsDNS.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResults.Protocols
description: List of protocols found in the PCAP.
type: String
- contextPath: PCAPResultsSMTP.From
description: The mail sender.
type: String
- contextPath: PCAPResultsSMTP.To
description: The mail recipients.
type: String
- contextPath: PCAPResultsSMTP.Subject
description: The mail subject.
type: String
- contextPath: PCAPResultsSMTP.MimeVersion
description: The mime version.
type: String
- contextPath: PCAPResultsSMTP.ID
description: The SMTP packet's ID.
type: String
- contextPath: PCAPResultsSMTP.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsKERBEROS.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsKERBEROS.Realm
description: The KERBEROS realm.
type: String
- contextPath: PCAPResultsKERBEROS.SName
description: The KERBEROS SName.
type: String
- contextPath: PCAPResultsKERBEROS.CName
description: The KERBEROS CName.
type: String
- contextPath: PCAPResultsTelnet.Data
description: The telnet data.
type: String
- contextPath: PCAPResultsTelnet.Commands
description: The telnet commands.
type: String
- contextPath: PCAPResultsTelnet.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsLLMNR.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsLLMNR.QueryClass
description: The LLMNR query class.
type: String
- contextPath: PCAPResultsLLMNR.QueryName
description: The LLMNR query name.
type: String
- contextPath: PCAPResultsLLMNR.Questions
description: The LLMNR questions.
type: String
- contextPath: PCAPResultsLLMNR.ID
description: The LLMNR packet ID.
type: String
- contextPath: PCAPResultsLLMNR.QueryType
description: The LLMNR query type.
type: String
- contextPath: PCAPResultsSYSLOG.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsSYSLOG.ID
description: The SYSLOGS packet ID.
type: String
- contextPath: PCAPResultsSYSLOG.Message
description: The SYSLOGS message.
type: String
- contextPath: PCAPResultsSYSLOG.Hostname
description: The SYSLOGS host name.
type: String
- contextPath: PCAPResultsSYSLOG.Timestamp
description: The SYSLOGS time stamp.
type: String
- contextPath: PCAPResultsSMB2.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsSMB2.ID
description: The SMB2 packet ID.
type: String
- contextPath: PCAPResultsSMB2.UserName
description: The SMB2 user name.
type: String
- contextPath: PCAPResultsSMB2.Domain
description: The SMB2 domain.
type: String
- contextPath: PCAPResultsSMB2.HostName
description: The SMB2 host name.
type: String
- contextPath: PCAPResultsSMB2.Command
description: The SMB2 command.
type: String
- contextPath: PCAPResultsSMB2.FileName
description: The SMB2 file name.
type: String
- contextPath: PCAPResultsSMB2.Tree
description: The SMB2 tree.
type: String
- contextPath: PCAPResultsNETBIOS.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsNETBIOS.ID
description: The NETIOS packet ID.
type: String
- contextPath: PCAPResultsNETBIOS.Name
description: The NETIOS name.
type: String
- contextPath: PCAPResultsNETBIOS.Type
description: The NETIOS type.
type: String
- contextPath: PCAPResultsNETBIOS.Class
description: The NETIOS class.
type: String
- contextPath: PCAPResultsIRC.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsIRC.ID
description: The IRC packet ID.
type: String
- contextPath: PCAPResultsIRC.RequestCommand
description: The IRC request command.
type: String
- contextPath: PCAPResultsIRC.RequestTrailer
description: The IRC request trailer.
type: String
- contextPath: PCAPResultsIRC.RequestPrefix
description: The IRC request prefix.
type: String
- contextPath: PCAPResultsIRC.RequestParameters
description: The IRC request parameters.
type: String
- contextPath: PCAPResultsIRC.ResponseCommand
description: The IRC response command.
type: String
- contextPath: PCAPResultsIRC.ResponseTrailer
description: The IRC response trailers.
type: String
- contextPath: PCAPResultsIRC.ResponsePrefix
description: The IRC response prefix.
type: String
- contextPath: PCAPResultsIRC.ResponseParameters
description: The IRC response parameters.
type: String
- contextPath: PCAPResultsFTP.EntryID
description: The PCAP entry ID.
type: String
- contextPath: PCAPResultsFTP.ID
description: The FTP packet ID.
type: String
- contextPath: PCAPResultsFTP.RequestCommand
description: The FTP request command.
type: String
- contextPath: PCAPResultsFTP.ResponseArgs
description: The FTP response arguments.
type: String
- contextPath: PCAPResultsFTP.ResponseCode
description: The FTP response code.
type: String
- contextPath: PCAPResultsICMP
description: ICMP data.
type: String
- contextPath: PCAPResultsSSH.EntryID
description: The PCAP's entry ID.
type: String
- contextPath: PCAPResultsSSH.ClientProtocols
description: The SSH client protocols in the PCAP.
type: String
- contextPath: PCAPResultsSSH.ServerProtocols
description: The SSH server protocols in the PCAP.
type: String
- contextPath: PCAPResultsSSH.KeyExchangeMessageCode
description: The SSH key exchange message codes.
type: String
script: '-'
tags:
- pcap
- mine
- file
- Utility
timeout: '0'
type: python
dockerimage: devdemisto/pcap-miner:1.0.0.8936208
runas: DBotWeakRole
runonce: true
tests:
- No tests (auto formatted)
subtype: python3
fromversion: 5.0.0