tag:blogger.com,1999:blog-4088979.post6474143384304163146..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: CWSandbox Offers PcapsRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4088979.post-71854354390821684462008-10-26T11:14:00.000-04:002008-10-26T11:14:00.000-04:00Thanks for the heads up! This is handy! I haven't ...Thanks for the heads up! This is handy! I haven't visited his site in about a month, but this feature of CWSandbox will come in quite handy! They don't pay those guys enough. They write some great papers on IT Security.jbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44467685196720760332008-10-24T04:16:00.000-04:002008-10-24T04:16:00.000-04:00I ran the pcap through NetworkMiner, which automat...I ran the pcap through <A HREF="http://sourceforge.net/projects/networkminer/" REL="nofollow">NetworkMiner</A>, which automatically extracted all the files. The anti-virus on my computer immediately alerted that the file l.exe contained the Downloader-BKH trojan.<BR/><BR/>I'll add this pcap file link to my list of <A HREF="http://networkminer.wiki.sourceforge.net/Publicly+available+PCAP+files" REL="nofollow">publicly available pcap files</A>.<BR/><BR/>Thanks for the find Richard!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-67366144368554444352008-10-24T03:42:00.000-04:002008-10-24T03:42:00.000-04:00hiu have a great work frnd.keep it uphi<BR/>u have a great work frnd.<BR/>keep it upAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51305830615218327862008-10-23T17:17:00.000-04:002008-10-23T17:17:00.000-04:00Nice post Richard, thanks.Anyone know why the Argu...Nice post Richard, thanks.<BR/><BR/>Anyone know why the Argus output seems to have the source and destination mixed up with the early RST traffic? For example:<BR/><BR/> 23:24:00.103663 e tcp 74.213.167.192.80 10.1.7.2.56963 2 319 RST<BR/><BR/>Wireshark seems to show 10.1.7.2 as the source, which makes sense.Anonymousnoreply@blogger.com