command and control servers in the case of a bot sites containing additional

command and control servers in the case of a bot, sites containing additional malware the sample attempts to download, or other involved sites. Global Network Data The Global Network Data section contains a summary of all of the interesting network traffic that was generated while analyzing the file. This section has the following subsections (when available): • All TCP • All UDP • HTTP • DNS Query • DNS Answer • IRC All TCP and All UDP are summaries of all of the TCP/UDP traffic observed while analyzing this file. The IP address and port information here can be used to create rudimentary rules on a firewall to restrict ingress/egress activity to certain ports and IP addresses that are known to be associated with malicious code. DNS Query and DNS Answer are lists of DNS transactions that were observed while analyzing the file. These queries can be used to detect hosts that are

Version 4.5 Sourcefire FireAMP User Guide 110 File Analysis File Analysis Details Chapter 13 infected on your network, or as a guideline on what domain names need to be sinkholed or blocked in order to control an infection on your network. HTTP and IRC subsections contain HTTP and IRC traffic that was observed while analyzing the executable. This information can be used to write network IDS signatures or to block ingress/egress communications with these hosts at the network perimeter in order to prevent further control of infected hosts. File Analysis Details The File Analysis Details section allows you to download the original sample (executable) that was executed in the sandbox. This is very useful if you want to perform a deep analysis on the executable and it can also be used to create Simple Custom Detections and Advanced Custom Signatures to control and remove breakouts in a network.

Version 4.5 Sourcefire FireAMP User Guide 111 File Analysis File Analysis Details Chapter 13 You can also download the entire network capture that was collected while analyzing the binary. This network capture is in PCAP format and can be opened with network traffic analysis tools such as Wireshark. The availability of this network capture file means that a security analyst can create a robust IDS signature to detect or block activity that is associated with this threat. When analyzing malware a series of screenshots are also collected. These screenshots can be used to observe the visual impact that the malware has on the desktop of a victim. The screenshots can be used in user education campaigns, in the case of an outbreak, the security analyst can send screenshots of behavior of this threat to network users and warn them of symptoms. It can also be used to warn about convincing social engineering attacks like phishing, for example the fake antivirus alerts common with malicious fake antivirus or scareware.

Version 4.5 Sourcefire FireAMP User Guide 112 User Guide C HAPTER 14 T RAJECTORY Trajectory shows you activity within your FireAMP deployment, either across multiple computers or on a single computer. When you navigate to the Trajectory