Report Format ll-pcap

This analysis report format refers to the analysis of a network traffic capture (pcap). The capture contents are analyzed to identify traffic that matches patterns of malicious connections (“signature detections”) and to identify connections involving hosts that are known to our threat intelligence (“blacklist detections”).

In addition to the report fields shared by all report formats (see Analysis Report Format) the report contains a number of different fields with details specific to the analysis.

Reports may include fields not described here: they are to be considered as experimental or deprecated and SHOULD be ignored.

Report contents

  • domain_detections.

    Type: List of detections on domains. See Domain detections for details.

    A list providing information about detections that affected a domain.

  • ip_detections.

    Type: List of detections on IP addresses. See IP address detections for details.

    A list providing information about detections that affected an IP address.

  • url_detections.

    Type: List of detections on URLs. See URL detections for details.

    A list providing information about detections that affected a URL.

Detection information

Base information about a detection.

  • detection_type

    Type: String.

    Example: signature.

    The type of detection. It can be either “signature”, indicating that the detection was caused by an IDS detection on the network traffic, or “blacklist”, indicating that the domain is known to be involved in malicious activity according to our threat intelligence.

  • threat_class

    Type: String.

    Example: drive-by.

    The threat-class of this detection.

  • threat_name

    Type: String.

    Example: pseudo-darkleech redirection to exploit url.

    The threat identified by this detection.

  • threat_severity

    Type: Integer.

    Example: 75.

    Score between 0 and 100 indicating the severity of the detection.

Domain detections

A detection on a domain.

In addition to the generic detection information (see Detection information), it specifies:

  • domain

    Type: String.

    Example: example.com.

    The domain involved in this detection.

IP address detections

A detection on an IP address.

In addition to the generic detection information (see Detection information), it specifies:

  • ip

    Type: String.

    Example: 93.184.216.34.

    The IP address involved in this detection.

URL detections

A detection on a URL.

In addition to the generic detection information (see Detection information), it specifies: