Perform baselining and analysis on network captures.
./netdfir.sh -r <pcap_file> -e -a- -r : Specify the input PCAP file for analysis (required)
- -e : Export files detected in data streams (optional)
- -a : Specify an adversary IP address to highlight (optional)
To help with the process of determining malicious traffic, adversary IP addresses and indiciators of compromise:
- All public IPs are mapped to their country of origin.
- Countries that are blacklisted are highlighted in red.
- Known malicious IP addresses are also highlighted red.
Net DFIR will attempt to pull information about the local Windows AD environment. Information regarding the DC, Windows Hosts and Windows Users will be logged along with associated IP's and MAC addresses. Any outgoing connections will be listed with associated ports and occurences.
A list of all IP addresses found within the PCAP are collated and listed based on the number of occurences decending. IPs are mapped to originating country and highlighted based on blocklists and known malicious IP lists.
A list of user agents found within HTTP traffic are collated and listed based on the number of occurences decending.
