bro

Bro Script: Hardcoded IP addresses

Ich have one assignment and I need a little help. I have infected.pcap and the following task:

Hardcoded IP addresses Sometimes, malware contains hardcoded IP addresses to download their payload or to communicate with their command and control (C&C) server. Find all such communication. Hint: Such IPs have no preceding DNS request.

I need to solve it with Bro script. This was my idea, but unfortunatelly all my connections have no DNS request:

    @load base/protocols/dns/main.bro
event file_timeout(f: fa_file)
    {
    for ( cid in f$conns )
        {
    if(f$conns[cid]?$dns){
        print f$conns[cid]$dns; 
        print "DNS";
    }else {
        print "No DNS";
    }
        }
    }

Do you know maybe what is wrong with my code?

Solution

  • I would suggest that you're using the wrong event for this. The file_timeout only occurs if a file transfer was occurring and then stopped without completing. A much more interesting event correlation would be:

    1. Track DNS address lookup responses (I would likely use event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)).
    2. Record the addresses returned in a set; this will provide you a set of all addresses that were discovered through a DNS query.
    3. Examine outbound requests (where orig_h on the SYN is an internal address)
    4. Check to see if the address in id$resp_h is in the set of addresses step 2. If it is, return, if it isn't, generate a notice since you have an outbound connection attempt with no corresponding DNS lookup.