PCAP Analysis

This playbook leverages all of the PCAP miner and PCAP file extractor sub playbook capabilities, including: Search for specific values in a PCAP file Parse and enrich detected indicators such as IP addresses, URLs, email addresses and domains found by the search . * Carve (extract) files found in the http, smb and other protocols and perform enrichment and detonation.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • PCAP Parsing And Indicator Enrichment
  • PCAP Search
  • PCAP File Carving

Integrations

This playbook does not use any integrations.

Scripts

This playbook does not use any scripts.

Commands

This playbook does not use any commands.

Playbook Inputs


NameDescriptionDefault ValueRequired
PcapFileEntryIDThis input specifies the file entry ID for the PCAP file if the user provided the file in the incident. One PCAP file can run per incident.File.EntryIDOptional
RunParsingAndEnrichmentThis input specifies whether to run the parsing and enrichment playbook. Values can be true or any other value for false.trueOptional
RunFileCarvingThis input specifies whether to run the file carving playbook. Values can be true or any other value for false.trueOptional
RsaDecryptKeyEntryIDThis input specifies the file entry ID for the RSA decrypt key if the user provided the key in the incident.File.EntryIDOptional
WpaPasswordThis input value is used to provide a WPA (Wi-Fi Protected Access) password to decrypt encrypted 802.11 Wi-FI traffic.Optional
QueryOperatorIn case the playbook has several search inputs provided such as IPAddressToSearch, TCPPortsToSearch ,UDPPortsToSearch, ProtocolToSearch and AdvancedSearchFilter. This input will specify if the inputs will be treated as an AND or an OR search for all the PCAP search filter.
value can be "and" or "or". The default value is "and",
If the IPAddressToSearch was defined as 192.168.1.1,192.168.1.2
The TCPPortsToSearch was defined as 445,443
And the QueryOperator was defined as "and"
The resultant query will be (ip.addr == 192.168.1.1 or ip.addr == 192.168.1.2) and (tcp.port == 445 or tcp.port == 443)
If the QueryOperator was defined as "or"
The resultant query will be (ip.addr == 192.168.1.1 or ip.addr == 192.168.1.2) or (tcp.port == 445 or tcp.port == 443)
andOptional
IPAddressToSearchThe value of an IP address to search. Can be a single IP or a comma delimited list of IP addresses. CIDR ranges are also acceptable. All IPs will be treated with the OR operator.Optional
TCPPortsToSearchThe value of a TCP port number to search. Can be a single port or a comma delimited list of ports. All TCP ports will be treated with the OR operator.Optional
UDPPortsToSearchThe value of a UDP port number to search. Can be a single port or a comma delimited list of ports. All UDP ports will be treated with the OR operator.Optional
ProtocolToSearchThe protocols to search for within the PCAP file. Can be a single protocol or a comma delimited list of protocols. The protocol names should be the same as searching in Wireshark. For example smb2, dns etc. All protocols will be treated with the OR operator.Optional
AdvancedSearchFilterFilter to apply on PCAP. Wireshark syntax as can be found here: https://www.wireshark.org/docs/man-pages/wireshark-filter.html
This input is meant to handle more complex filters not covered by the other inputs. For example search by an attribute such as http.host, arp.dst.hw etc.
Optional
InternalIPRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR format, separated by commas. An example of a list of ranges could be: 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16. If a list of IP ranges is not provided, the list provided in the IsIPInRanges script (the known IPv4 private address ranges) is used by default.Optional
InternalUrlNameThe organization's internal URL name. This is provided for the script IsInternalHostName that checks if the detected URLs are internal or external if the hosts contain the internal domains suffix. For example demisto.com. If there is more than one domain, use comma separation such as demisto.com,paloaltonetworks.comOptional
WhichIndicatorTypeToEnrichThis input checks which indicator types that will be extracted from the PCAP will be enriched. Values can be
ip
email
url
To provide more than one indicator type use comma separation such as
ip,url,email
ip,url,emailOptional
InternalEmailDomainNameThe organization's internal email domain name. This is provided for the script IsEmailAddressInternal that checks if the detected emails are internal or external. This input can contain a List of internal domains to check, comma separated.Optional
RegexToSearchThis input value is used to provide a python regular expression to search in the the packet body. An example can be \w{10} for expressions that have 10 letter words.Optional
ExtractedFilesLimitThis input limits the number of files to be extracted from the PCAP file. Default value is 5.5Optional
FileExtensionFilterThis input is used to select which file extensions to include or exclude from the PCAP file. Extensions must be comma separated, for example, png,gif,exe.
This setting cannot be used with the FileTypeFilter.
Optional
FileTypeFilterThis input is used to select which file type (MIME type) to include or exclude from the PCAP file. Extensions must be comma separated, for example, image/jpeg,application/x-javascript
This setting cannot be used with the FileExtensionFilter.
Optional
FilterTypeThis input is combined with the FileExtensionFilter input or the FileTypeFilter input. It specifies if the type/extensions list is inclusive or exclusive. Can be "inclusive" or "exclusive". Default is "inclusive".
Default value is 'inclusive'
inclusiveOptional
AutoDetonateFilesThis input specifies whether to detonate files extracted from the PCAP. The default value is True, any other value will be considered as false.TrueOptional

Playbook Outputs


PathDescriptionType
InternalIPAddressesThe internal IP addresses that were found in the PCAP.string
ExternalIPAddressesThe external IP addresses that were found in the PCAP.string
DestinationTcpPortsA list of destination TCP ports that were found in the PCAP.string
DestinationUdpPortsA list of destination UDP ports that were found in the PCAP.string
DetectedProtocolsA list of protocols that were found in the PCAP.string
ExternalEmailAddressesThe external email addresses that were found in the PCAP.string
InternalEmailAddressesThe internal email addresses that were found in the PCAP.string
ExternalUrlsThe external URLs that were found in the PCAP.string
InternalUrlsThe internal URLs that were found in the PCAP.string
PcapResults.ProtocolsList of protocols found in the PCAP.string
File.MaliciousThe File malicious descriptionstring

Playbook Image


PCAP Analysis