[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dragonidsuser
Subject:    [Dragonidsuser] Preferred method to reconstruct files downloaded via SMB?
From:       Hank Leininger <hlein () progressive-comp ! com>
Date:       2004-09-17 13:23:36
Message-ID: 010407131603130.28954 () timmy ! spinoli ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm curious, how (if at all) do people prefer to rebuild binaries
that Dragon recorded being transferred?  For instance I've got some
machines transferring UPX-compressed files internally via SMB.  I'd like
to reconstruct enough of the file to pass it to a decompressor, and see
what comes out on the other side--some uses of UPX are legit, but more
often than not when I see them, it's a sign of an infection/malware.
But same goes for files Dragon records in DYNAMIC capture transferred
via FTP, HTTP, etc.

There's at least a good chunk of the file sitting in these
GENERIC:UPX-EXE and DYNAMIC-TCP events.  For straightforward protocols
like FTP, HTTP, RCP it's simple (if inelegant) to extract the
transferred file from the captured payload.  But what about SMB file
transfers?  From what I understand of the SMB protocol on-the-wire, the
idea of trying to reconstruct file payloads from SMB packet dumps makes
me want to go take a shower.  Does anybody know of some good tools for
doing so?  Things like tcpdump, ethereal, etc all have various degrees
of Netbios / SMB decode support, but I don't think they extend to
anything like this.  I'd love to be wrong, though.

Thanks,

Hank Leininger <hlein@progressive-comp.com>
E407 AEF4 761E D39C D401  D4F4 22F8 EF11 861A A6F1
-----BEGIN PGP SIGNATURE-----

iD8DBQFBSuVYIvjvEYYapvERAiMnAJ9aqOoKWzmR26HZ3gXI3ZwNcE3tggCeIVcG
5gYT+NPBeVP2kKqroYvfNE8=
=7wFk
-----END PGP SIGNATURE-----
_______________________________________________
Dragonidsuser mailing list

For help please follow the below instructions.
You can make subsciption adjustments via email by sending a message to:

  Dragonidsuser-request@enterasys.com

with the word `help' in the subject or body (don't include the quotes), and you will \
get back a message with instructions.

You must know your password to change your options (including changing the password, \
itself) or to unsubscribe.   If you forget your password, don't worry, you will \
receive a monthly reminder telling you what all your enterasys.com mailing list \
passwords are, and how to unsubscribe or change your options.  


[prev in list] [next in list] [prev in thread] [next in thread]