Sharing good sources of sample captures

Hello all!

A useful resource for developers, rule writers and Suricata enthusiasts and users are sample capture files. Those can help us create new tests, improve existing protocols, practice threat hunting and malware analysis, creating training material and much more.

18. Public Data Sets — Suricata 7.0.0-dev documentation has a list with good sources, but as the documentation isn’t as dynamic as a forum thread, I want to kickstart sharing a few more useful links, and hopefully, others out there will have more cool reliable pages to share. :slight_smile:

Please only share trusted sources, let’s try to keep this community a safe space for others to find data sets!

3 Likes

Our @jstrosch’s repo, updated often:

2 Likes

Brad Duncan keeps https://www.malware-traffic-analysis.net/ another great source for malware traffic pcaps and exercises, tutorials, and more.

2 Likes

For miscellaneous traffic, one option is

1 Like

Another one by Packetbeat, looks like a good source for varied pcaps:

These are some good details about sample captures. But are they safe to download and use? I mean will this act maliciously if not caught by Suricata somehow?

1 Like

That is a valid question.

The sources we are listing here are safe, as far as we can tell. They also, many a times, include their own safety instructions.

I would consider that if you are just running Suri over these in pcap mode, Suri would just be analyzing past flow activities, therefore, in theory, there shouldn’t be a risk.

But even then, most threat hunters I see around will run such pcaps from within some virtual environment, to avoid surprises.

It’s probably better to wait for an answer from someone who has more experience in this, as I’m just a developer :stuck_out_tongue:

Hi, Ju

In principle, and using meerkat in offline mode, there should be no problem with any pcap. Suricata works, generates the logs and there is nothing else. I understand it like this.

I have worked with many of those pcaps, including the ones at https://www.malware-traffic-analysis.net/ and I am still alive. :wink:

1 Like

Thanks guys for the feedback.

2 Likes