Hello, welcome to the Monday, November 19th, 2018 edition of the San Sanct Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

To start out, we got two diaries from this weekend that sort of really address different parts of the same problem. And that's in particular

as you're starting investigating a packet capture or a website, it's often important to get

a quick feel for, is this malicious? Is this not malicious to then decide whether or not you

really want to spend more time with this particular event.

And typically that's also a very difficult, important decision to make for an analyst.

The first tool is Lockelo, it comes from Circle, the Luxembourg cert,

and it does help you investigate websites.

It sort of enumerates all the different tools like JavaScript and such being used on

the site, but it also tells you from which other sites does this website include content.

And of course, we have seen this numerous times in the recent past particular with like the Magecard incidents and such, where

malicious code is being added to a particular site that then causes malicious behavior.

The second tool that Guy brought up goes by the not so quite imaginative name of multi-purpose PCAP analysis tool and

that's a tool that was written by a student in England as part of his master's thesis and what it

does is it loads a packet capture and then it sort of flags certain indicators of malicious behavior. So it does compare the

packet capture, for example, IP addresses to known malicious IP addresses from various block lists and

such. So again, it probably gives you sort of a quick tip, hey, this is something that I need to

look at closer, something that I need to look at closer,

something that I've seen before. The tool itself is actually a little gwee tool written in

Java, so yes, you have to install Java in order to run this tool. It also has some neat sort

of simple visualization elements.

...