infosec-intern
commented
7 years ago Also, I'd like to take this on. I just can't assign the ticket to myself afaik
Closed infosec-intern closed 7 months ago
infosec-intern
commented
7 years ago Also, I'd like to take this on. I just can't assign the ticket to myself afaik
adulau
commented
7 years ago It would be very interesting to have a pcap one but the difficulty is the number of parsing and pcap format (pcap, pcap-ng, wireshark and alike).
Another example is the JSON export of wireshark: https://github.com/MISP/misp-objects/issues/11
Maybe doing a basis pcap object would work with the most common denominators.
infosec-intern
commented
7 years ago I'll play around with it some more and try to get a fairly file-agnostic solution.
When you refer to a basis pcap object, do you mean an actual misp-object or just pulling out a subset of data that we know is in all the filetypes?
infosec-intern
commented
7 years ago I'm looking into using pyshark to parse the data. It leverages tshark on the backend, so anything parseable by tshark/wireshark should be available to it. Still researching
adulau
commented
7 months ago https://github.com/misp/misp-wireshark/ is now available for some times.
Something to pull IOCs out of PCAPs since that's a common file format exported by security tools. This should be fairly compatible with the new MISP objects as well