Need help finding Pcap with no signatures

Hey everybody, I have been using Virustotal to try and find Pcap without a signature.

This is the query I have been using: “have:pcap tag:malware positives:10+m AND NOT have:crowdsourced_ids AND NOT engines:formbook”.

I generally have to go through 50-100 submissions before I find one with no signatures written for it.

Does anybody have any tips or tricks to help finding any Pcap that needs signatures written for them?

1 Like

Hey Noah,

I contacted VT about this and they said that the query is correct and that there might be a bug on their end. They didn’t provide a timeline but I’ll update this thread once we hear back. I’ll also try the query every couple of days in case it gets resolved before we hear anything.

Happy Holidays,
Isaac

1 Like

Hey, I know it’s a little late and I am by no means an expert myself but I usually sweep https://tria.ge in a similar way and my best methods seem to be downloading interesting pcaps and running them through Dalton quickly to see if it’s interesting. It’s not completely efficient but it works well enough for myself.

Link to the Dalton project: GitHub - secureworks/dalton: Suricata and Snort IDS rule and pcap testing system

Hope this helps but if it doesn’t, I would like to know a more efficient way as well!

I continued to think on this and I kind of like the idea of automating this with a CLI tool that checks pcaps against rules. I can’t do VT myself since I don’t have access but I think triage has an API I can work with. I might poke around with how the output would be most useful.

Hey Isaac,

Thank you for your feedback.

If you end up doing a script that’s public, I would love to contribute.

@NoahWolf - I just did a search in VT today and It looks like they’ve fixed the issue. I never got a response back but after clicking on a few random results it appears to be working correctly. :tada:

1 Like