anybody have any suggested resources on this topic. i’m trying to find pcap examples of malicious or suspicious traffic, but they are a bit hard to come across and are usually sprinkled in write ups and white papers.
so far i’m alerting on different types of redirects coupled with url changes that contain an abnormally large amount of sub domains (subdomain.subdomain.subdomain.legitsite.com) apparent random strings (this is typical of exploit kits that deliver ransomware and banking trojans) eg. HKJHSADdkjhdhweU87kHj234.biz <–made up example, abnormal amounts of DNS and NTP traffic, dns data exfiltration KJDkfdjfweklDKJFF8efLKJDFkjw.someurl.com, bad, suspicious, or lack of user agent information in http headers, packets with abnormal flags such as having both the SYN,FIN, and PUSH flag thrown.
and suggestions or resources you find helpful would be much appreciated. not so much interested in signature based analysis.
