Question 1

How to fix the ImportError with pynids when running ChopShop on Ubuntu?

Accepted Answer

The README notes a known bug with Ubuntu's pynids package. You need to compile pynids from source from the GitHub repository, as the apt version causes issues, requiring manual intervention.

Question 2

ChopShop vs. Wireshark for analyzing APT traffic?

Accepted Answer

ChopShop is specialized for APT tradecraft with custom decoders, while Wireshark is a general-purpose packet analyzer. For focused, analyst-driven APT detection, ChopShop is better, but Wireshark excels at broad protocol inspection.

Question 3

What documentation is available for ChopShop?

Accepted Answer

Documentation is hosted on ReadTheDocs, as stated in the README. It provides guides for using the framework, creating decoders, and troubleshooting, essential for effective implementation.

Question 4

How to create a custom protocol decoder in ChopShop?

Accepted Answer

Leverage the framework's pynids integration and refer to the ReadTheDocs documentation. You'll need Python skills and protocol knowledge to build decoders tailored to specific APT indicators.

Question 5

Is ChopShop suitable for real-time network monitoring?

Accepted Answer

Yes, it can process live traffic via pynids, but being in beta, performance may vary. It's best for analysis and detection rather than high-speed, production-grade monitoring systems.

Question 6

ChopShop or Suricata for threat detection?

Accepted Answer

Suricata is a mature IDS/IPS with extensive rule sets, while ChopShop is a framework for custom APT analysis. Choose Suricata for general network security, and ChopShop when you need specialized, hands-on APT investigation.

chopshop

What is chopshop?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions