Popular online virus scanning service VirusTotal, which can analyze user submitted samples for infection using more than 40 anti-virus scanners, has added a PCAP analyzer to its arsenal. The PCAP scanner can analyze network capture files (PCAP files) obtained from network traffic scanners like Wireshark or tcpdump, and analyze them for signs of infection, network intrusion and exploitation.
To perform a check, users need to use any network traffic scanners capable of create a dump of the captured traffic in the PCAP format. The PCAP file then needs to be uploaded to VirusTotal the same way people submit EXE, PDFs and other file for analysis. VirusTotal will then extract the contents of the PCAP files and process it using popular intrusion detection systems such as Snort and Suricata and log the rules that they trigger. VirusTotal will also list all DNS resolution performed and all HTTP communications. Analysis of network traffic can often reveal communication between a malware or botnet client and its command server, cross-site scripting, malicious code injection from a remote server, and other types of attacks which may otherwise go undetected.
Currently, VirusTotal employs only two intrusion detection analyzer – Snort and Suricata, but we can expect to see more scanners and analyzers being added in future.