Network simulation for malware analysis.
sparring
is supposed to assist with the analysis of network traffic
generated by possibly malicious software. This is achieved by automating the
logging of known protocols and extracting sent or received payloads where
applicable. Support for integration with the automated malware analysis
framework cuckoo (http://cuckoosandbox.org) is on its way.
sparring
can be run in three different modes of operation.
They are:
- full mode
No communication may leave the analysing host. Supported and activated protocols are processed by sparring. - half mode
Data sent by the (malware) sample is intercepted, possibly modified and either passed to its destination host or discarded. - transparent mode
While working transparently, sparring will not alter any transmitted data and only log connections and try to extract interesting data for supported protocols.
The scripts/
directory contains shell scripts to assist you in getting the
somewhat tricky network setup required for analysis right.