monitor network traffic and pulls suspected file(s) that connecting to specific server
$ sudo apt-get install systemtap
$ sudo apt-get install python-pip
$ pip install requests
$ sudo stap-prep
$ sudo apt-get install linux-image-$(uname -r)-dbgsym
Test if SystemTap is working:
$ sudo stap -e 'probe netfilter.ip.local_out{ printf("%d><%s><%s><%s\n", pid(), daddr, cmdline_str(), data_hex)}'
$ ping www.google.com
$ sudo stap -e 'probe netfilter.ip.local_out{ printf("%d><%s><%s><%s\n", pid(), daddr, cmdline_str(), data_hex)}' | python syscam24.py www.exampie.com test.com
sysdig support
add webserver to download suspected files