Or do the combination, setup the fake server and use tcpdump or wireshark to capture all access. That should catch all ports and protocols.
On 18-02-2019 21.05, Kevin Darcy wrote: > Another approach is to define a "fake" vitaminc.pro > <http://vitaminc.pro> domain, point it at an internal webserver > (assuming you have a spare, or can spin one up for the purpose), and > see what clients are hitting it. > > Of course, that assumes the communication is web-based. If it's some > other protocol(s), you'd need to monitor that protocol, or those > protocols, on the "decoy" server. One would need to know more about > the behavior of the malware involved. > > Speaking of which, Virustotal doesn't seem to think there's anything > suspicious about vitaminc.pro <http://vitaminc.pro>. Haven't checked > my other sources of Threat Intelligence, but usually there's > *something* on VT if a domain is being used as a C&C... > > > - Kevin > > > On Mon, Feb 18, 2019 at 9:24 AM Tony Finch <[email protected] > <mailto:[email protected]>> wrote: > > MEjaz <[email protected] <mailto:[email protected]>> wrote: > > > > If I enabled the system performs will slow down? > > Depends on how much load your servers are under and what their > capacity > is. > > An alternative to query logs, when you are searching for a known query > name, is to use tcpdump. It's a tedious and fiddly to convert the > name to > DNS wire format and then into a pcap filter expression, so I have > a little > script to do that (quoted below after my .sig). The command you > want is > like: > > tcpdump -np udp port 53 and '(' udp[20] == 8 and udp[21] == 118 > and udp[22] == 105 and udp[23] == 116 and udp[24] == 97 and > udp[25] == 109 and udp[26] == 105 and udp[27] == 110 and udp[28] > == 99 and udp[29] == 3 and udp[30] == 112 and udp[31] == 114 and > udp[32] == 111 ')' > > Tony. > -- > f.anthony.n.finch <[email protected] <mailto:[email protected]>> > http://dotat.at/ > Southeast Iceland: Northerly 6 to gale 8, veering northeasterly 5 > to 7. Rough > or very rough. Rain or wintry showers. Good, occasionally poor. > > > #!/usr/bin/perl > > use warnings; > use strict; > > use Net::DNS::DomainName; > > die "usage: $0 <domain-name>\n" > unless @ARGV == 1; > > my $text = shift; > my $wire = new Net::DNS::DomainName($text)->canonical; > > my @wire = unpack 'C*', $wire; > > pop @wire unless $text =~ m{\.$}; > > printf "'(' %s ')'\n", > join ' and ', > map { sprintf "udp[%d] == %d", > 20 + $_, $wire[$_] } > 0 .. $#wire; > #!/usr/bin/perl > > use warnings; > use strict; > > die "usage: tcpdump-qname.pl <http://tcpdump-qname.pl> <dns-label>\n" > unless @ARGV == 1; > > my $name = shift; > > my @name = unpack 'C*', $name; > > printf "%s\n", join ', ', @name; > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > [email protected] <mailto:[email protected]> > https://lists.isc.org/mailman/listinfo/bind-users > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!"
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
