Here we're using the workbench server to look at a specific case captured by ThreatGlass. The exploited website for this exercise is gold-xxx.net ThreatGlass_Info.
Tools in this Notebook:
More Info:
Run the workbench server (from somewhere, for the demo we're just going to start a local one)
$ workbench_server
# Lets start to interact with workbench, please note there is NO specific client to workbench,
# Just use the ZeroRPC Python, Node.js, or CLI interfaces.
import zerorpc
c = zerorpc.Client(timeout=120)
c.connect("tcp://127.0.0.1:4242")
[None]
# Load in the PCAP file
with open('../data/pcap/gold_xxx.pcap','rb') as f:
pcap_md5 = c.store_sample(f.read(), 'gold_xxx', 'pcap')
# Now give us a HTTP graph of all the activities within that PCAP.
# Workbench also has DNS and CONN graphs, but for now we're just interested in HTTP.
c.work_request('pcap_http_graph', pcap_md5)
{'pcap_http_graph': {'md5': 'c8e58ff22b9a8e48838373fbb1692bdd', 'output': 'go to http://localhost:7474/browser and execute this query "match (s:origin), (t:file), p=allShortestPaths((s)--(t)) return p"'}}
Well for this short notebook we used 3 lines of python to go from PCAP file to Neo4j graph. We hope this exercise showed some neato functionality using Workbench, we encourage you to check out the GitHub repository and our other notebooks: