PricingBlogAbout Us

Security Onion: Malware Attack Analysis and Incident Report

Verified

Added on  2019/09/24

|3
|644
|120
Report
AI Summary
This report analyzes a PCAP file containing network traffic to identify and describe a malware attack using Security Onion. The assignment requires identifying the victim machine, the events leading to infection, and the malware components. The report examines 14 TCP exchanges, selecting four for detailed analysis: three successful and one failed activity. For each selected exchange, it provides a summary of the activity, lists the involved protocols and security events, and explains the malware's actions or the reasons for its failure. The report concludes with a summary of the potential damage from such malware, and suggestions on how to prevent or avoid such attacks in the future.
Document Page
PURPOSE
Throughout this unit we are learning about the different protocols used in computer networks
and some of the ways they are used by attackers. In this assessment task you will conduct an
analysis of captured network traffic using the tools of Security Onion to demonstrate your
understanding of abnormal protocol behaviour by preparing a security incident report
explaining a malware attack.
TASK(S)
The network traffic that we will be examining for this task can be found at:
http://www.malware-traffic-analysis.net/2015/05/29/index.html
On this page you will find a password protected ZIP file containing the PCAP file (the password
is ‘infected’). Download this PCAP file and import it into Security Onion (see Importing PCAP
Hints below). Upon importing, you will see the following events in Sguil:
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Assessment Information
The above security alerts include a total of 14 different TCP exchanges, as follows:
a. 10.3.162.105:62612 – 149.3.144.218:80 (IDs 3.21, 3.33)
b. 10.3.162.105:62632 – 68.178.254.108:80 (ID 3.71)
c. 10.3.162.105:62637 – 91.200.14.95:80 (IDs 3.75, 3.77, 3.79, 3.81, 3.82)
d. 10.3.162.105:62638 – 46.249.199.41:80 (IDs 3.83, 3.84, 3.85, 3.86, 3.88)
e. 10.3.162.105:62640 – 37.140.192.238:80 (IDs 3.109)
f. 10.3.162.105:62641 – 178.208.83.15:80 (IDs 3.115, 3.127, 3.114)
g. 10.3.162.105:62643 – 109.120.189.60:80 (ID 3.141)
h. 10.3.162.105:62717 – 205.234.186.115:80 (ID 3.204)
i. 10.3.162.105:62769 – 23.15.4.18:80 (ID 3.246)
j. 10.3.162.105:62869 – 61.65.90.109:80 (ID 3.298)
k. 10.3.162.105:62872 – 61.65.90.109:80 (ID 3.299)
l. 10.3.162.105:62947 – 5.35.235.167:80 (IDs 3.302, 3.303)
m. 10.3.162.105:63000 – 37.76.209.224:80 (ID 3.305)
n. 10.3.162.105:63158 – 189.140.46.92:80 (ID 3.318)
Note that on the page you download this PCAP file from there is also a link at the bottom of the
page “to help you get the answers” – this page contains a number of hints you may wish to
check (note that you won’t need all the information on this page – you may not need any of it!).
Your task is to prepare a written report addressing the following points (you must use the
headings indicated):
1. Introduction (<1 page):
Provide an overview of what is happening in this packet capture, including:
i. Identify the victim machine (be as specific as you can);
ii. Identify and briefly describe the events leading to and involving the
infection of the victim machine; and
iii. Identify and briefly describe each component of malware in the infection.
2. Malware Traffic (<2 pages):
Out of the 14 TCP exchanges identified above, select three apparently successful
activities and one apparently failed activity (totalling four TCP exchanges).
For each of your four selected exchanges:
i. Provide a summary of what is happening in the exchange and list the
protocols involved;
ii. List the related security events detected in Security Onion and briefly
explain what each event is identifying; and
iii. Explain what was achieved by the malware (successful activity) or
why the malware failed (unsuccessful activity).
3. Conclusions (<1 page)
Provide a general summary / conclusion for your report including the
potential damage that could be achieved by such malware, how this damage
could be prevented and/or avoided in future
Document Page

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

chevron_up_icon
1 out of 3
circle_padding
hide_on_mobile
zoom_out_icon
logo.png

Your All-in-One AI-Powered Toolkit for Academic Success.

  +13062052269
info@desklib.com

Available 24*7 on WhatsApp / Email

[object Object]
Unlock your academic potential

Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.