Bro脚本:硬编码的IP地址 [英] Bro Script: Hardcoded IP addresses
问题描述
Ich有一项任务,我需要一点帮助.我已经感染了.pcap和以下任务:
Ich have one assignment and I need a little help. I have infected.pcap and the following task:
硬编码的IP地址有时,恶意软件包含硬编码的IP地址,以下载其有效负载或与其命令和控制(C& C)服务器进行通信.找到所有这样的交流.提示:此类IP之前没有DNS请求.
Hardcoded IP addresses Sometimes, malware contains hardcoded IP addresses to download their payload or to communicate with their command and control (C&C) server. Find all such communication. Hint: Such IPs have no preceding DNS request.
我需要用Bro脚本解决它.这是我的主意,但不幸的是,我所有的连接都没有DNS请求:
I need to solve it with Bro script. This was my idea, but unfortunatelly all my connections have no DNS request:
@load base/protocols/dns/main.bro
event file_timeout(f: fa_file)
{
for ( cid in f$conns )
{
if(f$conns[cid]?$dns){
print f$conns[cid]$dns;
print "DNS";
}else {
print "No DNS";
}
}
}
您是否知道我的代码有什么问题?
Do you know maybe what is wrong with my code?
推荐答案
我建议您为此使用错误的事件. file_timeout
仅在发生文件传输然后停止但未完成的情况下发生.一个更有趣的事件关联是:
I would suggest that you're using the wrong event for this. The file_timeout
only occurs if a file transfer was occurring and then stopped without completing. A much more interesting event correlation would be:
- 跟踪DNS地址查找响应(我可能会使用
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
). - 记录一组返回的地址;这将提供 您将获得一组通过DNS查询发现的所有地址.
- 检查出站请求(其中SYN上的
orig_h
是内部的 地址) - 检查
id$resp_h
中的地址是否在的集合中 解决步骤2.如果是,则返回,如果不是,则返回 产生通知,因为您尝试进行出站连接 没有相应的DNS查找.
- Track DNS address lookup responses (I would likely use
event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
). - Record the addresses returned in a set; this will provide you a set of all addresses that were discovered through a DNS query.
- Examine outbound requests (where
orig_h
on the SYN is an internal address) - Check to see if the address in
id$resp_h
is in the set of addresses step 2. If it is, return, if it isn't, generate a notice since you have an outbound connection attempt with no corresponding DNS lookup.
这篇关于Bro脚本:硬编码的IP地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!