ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.
Note that ChopShop is still in perpetual beta and is dependent on libnids/pynids for the majority of its underlying functionality.
The chopshop program is a Python script designed to be run on the command line. It requires Python 2.6+ and pynids to be installed. It also requires “modules” to be created that do the processing of network data. ChopShop, by itself, does not do any processing of pcap data – it provides the facilities for the modules to do so.
+ python 2.6 or higher
+ libnet and libpcap
git clone https://github.com/MITRECND/pynids/ && cd pynids
sudo python setup.py build
sudo python setup.py install
git clone https://github.com/MITRECND/chopshop && cd chopshop
pip install -r dev-requirements.txt
./chopshop -f /pcaps/data.pcap “payloads; gh0st_decode”
./chopshop -f foo.pcap “http | http_extractor”