问题
Ich have one assignment and I need a little help. I have infected.pcap and the following task:
Hardcoded IP addresses Sometimes, malware contains hardcoded IP addresses to download their payload or to communicate with their command and control (C&C) server. Find all such communication. Hint: Such IPs have no preceding DNS request.
I need to solve it with Bro script. This was my idea, but unfortunatelly all my connections have no DNS request:
@load base/protocols/dns/main.bro
event file_timeout(f: fa_file)
{
for ( cid in f$conns )
{
if(f$conns[cid]?$dns){
print f$conns[cid]$dns;
print "DNS";
}else {
print "No DNS";
}
}
}
Do you know maybe what is wrong with my code?
回答1:
I would suggest that you're using the wrong event for this. The file_timeout only occurs if a file transfer was occurring and then stopped without completing. A much more interesting event correlation would be:
- Track DNS address lookup responses (I would likely use
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)). - Record the addresses returned in a set; this will provide you a set of all addresses that were discovered through a DNS query.
- Examine outbound requests (where
orig_hon the SYN is an internal address) - Check to see if the address in
id$resp_his in the set of addresses step 2. If it is, return, if it isn't, generate a notice since you have an outbound connection attempt with no corresponding DNS lookup.
来源:https://stackoverflow.com/questions/47928298/bro-script-hardcoded-ip-addresses