Verifying network IoC hits in millions of packets

Detection of a network breach usually leads to a number of single packet “Indicators of Compromise” (IoC) located in a pile of millions of network packets. This talk will walk through an example of extracting the full conversation flows for each hit with little manual effort to be able to qualify events as false or true positive.

A common approach to investigating networks for Indicators of Compromise is to gather network packets from Internet uplinks or other network locations (e.g. traffic for servers suspected of being compromised). The amount of data recorded can vary from a few MByte to hundreds of GByte or even TByte in some cases.

Tools like Snort or Suricata can be used to scan for malicious patterns in an efficient way, but they usually return single packet hits. IDS/IPS systems deployed at strategic locations have the same issue - it’s quite difficult for analysts to qualify hits based on a packet alone. Having the full conversation would allow inspecting request and response details, and I’ll show how to do that in an easy way, even if the pile of packets is really huge.