["David H. Lipman" <DLipman@xxxxxxxxxxx>]

From: "Jaap Keuter" <jaap.keuter@xxxxxxxxx>

| On 06/22/2010 10:52 PM, David H. Lipman wrote:
>> From: "Jaap Keuter"<jaap.keuter@xxxxxxxxx>

>> | Hi,

>> | You need a display filter?
>> | Just point and click; point to the packet with the protocol you don't want,
>> | right-click and add to filter.

>> | Thanks,
>> | Jaap

>> I'm kind of in the middle but here goes...
>> { I say I am in the middle because it is not my website. }

>> This is a web site accepts malcious samples.  The site sandbozes and executes the
>> malcious
>> samples and the sends a PCAP file of communication and a HTML file of activity.

>> The PCAP is full of Microsoft "noise" that doesn't have to do with the malware
>> analysis.
>> The objective is to filter out the noise and generate a PCAP without said noise.  That
>> filtered PCAP and the HTML report are subsequently ZIPed and emailed to the malicious
>> file
>> submitter.


| Ah ok, you need a capture filter then? I assume you capture using libpcap.
| A quick web search shows the following:

| Microsoft Protocols
| TCP PORT 139 tcp port 139
| UDP PORT 137 udp port 137
| UDP PORT 138 udp port 138
| UDP PORT 445 udp port 445
| SMB dst port 139 && tcp[13:1] & 18 = 2

| which would result in
| not (tcp port 139 or udp port 137 or udp port 138 or udp port 445)

| But if you're interested in the HTTP protocol only, why not filter on that?
| That would be: tcp port 80

| Hope it helps.


It isn't just HTTP.  For example here is a restult from Threat Expert for a CyberGate RAT.
http://www.threatexpert.com/report.aspx?md5=de13803c2c3a55082e35c96bd86abae4

Note:  IP = 92.241.168.24 @ TCP port 50325

We'll see all sorts of communication from malware.  But we also do need the normal 
background Microsoft chatter at the same time we don't want to filter out a SDBot tring to 
spread via SMB.

I hope it is OK.  I attached two PCAP files in a ZIP file with data that we do NOT need to 
see in a resultant report.



-- 
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp 


begin 666 pcaps.zip
M4$L#!!0``@`(`(>.UCSY[BLI"@,``& 6```*````9'5M<#$N<&-A<.783T@4
M41P'\-^;V7'7/ZV[V"5$F252HDQ8"W0Q=?_,NMO^;5<30BFIZ):!8$8'%01;
M_W2,NF0>)*M3$11U2;2+A/W!`M-#*P124)AU$*7I]QXNMJ,,O0Y=Y@VS^W9V
M=K_#]_,N,W-3#\<$,$%FJ"H`P?>9!3F<[I.@%>=TMT#Y+RD$9=\?=.)<`8B"
MU `-]@7G\XD.&^XY-AE2X(K?A &PL;_ (7M#;MT!X !"LPK[)7#@K^B>2:&)
M-(L4M9<"]-HO-]$<F@<I3%.'W\) /XTA?Y_%+NN2*>".)N6M`3YHB25"C8E8
M<WSSR#1HSI&WG5,ZG:GE/X]9+*SKBP56<;[*T.C8*@P^M9?1PKJ'-@M381"W
M-[=>VO/Z&!9^>H:5*4'%H\3\/J][YPUD?T")^[U*6 G@:]SO]V=][XF"FHQX
M]NE<JYW6GAG+8F;F@!,@,@X!G- :<0?#R7"LJ=63B+4DD1QZ-_*8`$!)Y=W&
M`UUED<?5$A%M! I)\SUXC16X/N;PK\]Z2/.N3YJ52N?HK<_];'T&->NS&]*&
M7)_OL;#F<Q9NG-@"47AQ:);GO$4/YQ##\6EP=A/%D#B+6-C8="X_3A\9Y<6A
M64LO<O5P*AF.-QMGZ"D9-23.$A:V[LCGQRDG:[PX-.OBWGP]'"?#:=#@G"9K
MAL19QL*L=PJX<:)30ALO#LUJF2C0PSG"<(YFXPQN"&V&Q/F*A=4YK?PXIX1)
M7AR:=;7*JH=3S7!<&IP;PJ0A<7YB8<>#P(\CB<6\.#2K_QCHX=0PG!H-3IU8
M;$B<=2SLPBSAQHF,B3V\.#3KVBNBAU/'< YGXZ0^B#V&Q"&+<OC)09$?IU&<
MY\6A6=\J1#V<>H93I<'I%><-B6/&PNX/F_AO0M]!B!>'9BV.F'1PKG=0')^8
MC3-BA9 A<79A816?_^$)UA48Y\6A6<**WA,LUUF*<]NJN0E]!..&Q"G"PA(!
M,S^.`U1>')KU(V+6P9%4BC/7J<$Y":HA<?9@89&B`JC%>>U.."6;.&?^P#%#
M[FAX9=NE_@902P,$% `"``@`SX[6/)^EHS[1`0``%0P```D```!D=6UP+G!C
M87#5T#E(`T$4!N"W1Z*)BBMV*61MC @B(H@'0C2)B:XFJ^*!V(J=\=8H!(44
M!L& I+(RC=IZ@ $1!$L+KS2B(()8!0L;+41],YABMQB<<A\,.PP[^^__92\.
MTR+(D)^?'P`!GY%'M4=3'#"&>[(*P:U]#T'5^\$L[OT`(;!YP%/V4'^^'U%P
M%2@J)* EO"M$0:&?P%&]6CMS`"I!(%EU+@?<XPVR\BDDD69=%DT"K)9=:22'
MY$$"TTYNOH1HG+PO_#^+_M:B/.#7]5K=J_X-`@R'^[5 ?WA0_SN)FT\JXF"Z
MI<IYEG_./!8-GCKY49N%5UY4DI4]<[)0(Q2UVX2:%%XMA;J"15T=Q=RHH:RH
M\:*2K&-?,0MUBJ)VF5!K1,U2J&M8M#I7PH\Z(69X44G6TEL)"W6:H@:-J-=G
M8L92J.M8='L$N%%[/R4W+RK)^A@%%NH,10V84$.2VU*HFUAT61;Y43>D%"\J
MR=JSBRS468K::42]>I92ED)-8=&VI,2-VE>*I)RH)*MU2V*ASE%4OQ'U;AP4
M2Z%N8]&C1ALWJIZ&&"\JR=IILK%0YRFJSXAZ^P$Q2Z'N8-'R)SL_:@/D>%%)
MUO"+G86Z0%&])M0$Y"R%^@M02P$"% `4``(`" "'CM8\^>XK*0H#``!@%@``
M"@`D`````````" `````````9'5M<#$N<&-A< H`( ```````0`8``#[F2Q5
M$LL!D)5+8E(2RP%@V&)@4A++`5!+`0(4`!0``@`(`,^.UCR?I:,^T0$``!4,
M```)`"0`````````( ```#(#``!D=6UP+G!C87 *`" ```````$`& ``[ZE]
J51++`3!O-F=2$LL!8-AB8%(2RP%02P4&``````(``@"W````*@4`````
`
end