The crazy/kind folks over at PacketTotal were generoue enough to slip me an API key, and long-time readers of the blog knows what that means: a new package!

What is PacketTotal?

If you have a non-compliance-focused job in information security chances are you will have come across or had the need to generate packet captures of network traffic to chase down a situation. PacketTotal seems to be aiming to aggregate and socialize the analysis of packet captures in similar fashion to what VirusTotal does to files/binaries.

PCAPs are a bit trickier than what VirusTotal handles since they may contain sensitive organizational data — at the very least private addressing schemes — but, I suspect they’re working on some sanitization tools to make it easier to do that and are also doing a decent job at ensuring they’re not logging the IP address (or any other identifying data) of the uploader.

Their online exploratory interface is fairly robust but by providing an API they make it possible for one to go beyond such an interface and enhance a dynamic investigation on-the-fly while keeping a record of analysis flow and artifacts.

We won’t be doing that in this post since it is just an introductory “this is how the site/package works” post but once they round out some corners we may delve into a full (faux) investigation and perhaps write our own investigations UX with Shiny.

Onwards!

Using the PacketTotal API

I kept the dependencies pretty thin so the extra library() calls I’m putting in here are mostly for analysis & visualization support. Let’s get them out of the way:

Now, let’s look for Emotet, which is a nasty piece of malware your organization has likely been hit with multiple times by now. To do that, we need to do issue a query on the “deep search” endpoint:

Now, we get thos results and take a look:

Let’s get even more detail:

and, see what’s in the summary:

Who are the top talkers (the IP addresses with the most connections)?

Let’s use ipinfo.io to see some extra detail on that main one:

We can also lookup various stats (these JSON strings are going to be real percentages soon from the API):

So, we get FQDNs, files, DNS queries and more. We can also just get every bit of data PacketTotal could squeeze out of the PCAP by downloading an “analysis” archive:

We’ll unpack it and take a look:

We won’t explore all of these in this post but conn.csv is the Zeek (formerly, ugh, ‘Bro’ — which was short for ‘Big Brother’ b/c it was snooping on your packets, but still…) connection logs. That’s something I’m super familiar with given that we generate tens of thousands of them every day at $WORK in our massive honeypot network, so let’s poke at it:

(They’re also fixing the un-friendly-for-data science column names.)

Lots of info about the connections, and we can make our own exploratory interface for them pretty easily:

But, we can also attack it with the tidyverse:

We can even see any threat inteligence they were able to enrich the data with:

We can also look for similar PCAPs:

This is where the power of the API would really come in handy as we collect all this information and start to look for correlations, time series patterns (or anomalies) and possibly extract features to help build models to detect various types of malicious traffic.

FIN

Visit the package page for information on how to install it and you can find it on SourceHut, GitLab or (ugh) GitHub.

Keep watching their service/API since it’s only going to get even better and definitely toss up suggestions for package features or jump on in and file some PRs at your social coding hub of choice.