<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Or do the combination, setup the fake server and use tcpdump or
wireshark to capture all access. That should catch all ports and
protocols.<br>
</p>
<div class="moz-cite-prefix">On 18-02-2019 21.05, Kevin Darcy wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAeHe+w=HiaJB=NHKL1v7+npng7Q85zPiOpAvrGY7+s-pyD8jA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Another approach is to define a "fake" <a
href="http://vitaminc.pro" target="_blank"
moz-do-not-send="true">vitaminc.pro</a> domain, point it at an
internal webserver (assuming you have a spare, or can spin one
up for the purpose), and see what clients are hitting it.
<div><br>
</div>
<div>Of course, that assumes the communication is web-based. If
it's some other protocol(s), you'd need to monitor that
protocol, or those protocols, on the "decoy" server. One would
need to know more about the behavior of the malware involved.</div>
<div><br>
</div>
<div>Speaking of which, Virustotal doesn't seem to think there's
anything suspicious about <a href="http://vitaminc.pro"
moz-do-not-send="true">vitaminc.pro</a>. Haven't checked my
other sources of Threat Intelligence, but usually there's
*something* on VT if a domain is being used as a C&C...</div>
<div><br>
</div>
<div>
- Kevin</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Feb 18, 2019 at 9:24
AM Tony Finch <<a href="mailto:dot@dotat.at"
target="_blank" moz-do-not-send="true">dot@dotat.at</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">MEjaz
<<a href="mailto:mejaz@cyberia.net.sa" target="_blank"
moz-do-not-send="true">mejaz@cyberia.net.sa</a>> wrote:<br>
><br>
> If I enabled the system performs will slow down?<br>
<br>
Depends on how much load your servers are under and what their
capacity<br>
is.<br>
<br>
An alternative to query logs, when you are searching for a
known query<br>
name, is to use tcpdump. It's a tedious and fiddly to convert
the name to<br>
DNS wire format and then into a pcap filter expression, so I
have a little<br>
script to do that (quoted below after my .sig). The command
you want is<br>
like:<br>
<br>
tcpdump -np udp port 53 and '(' udp[20] == 8 and udp[21] ==
118 and udp[22] == 105 and udp[23] == 116 and udp[24] == 97
and udp[25] == 109 and udp[26] == 105 and udp[27] == 110 and
udp[28] == 99 and udp[29] == 3 and udp[30] == 112 and udp[31]
== 114 and udp[32] == 111 ')'<br>
<br>
Tony.<br>
-- <br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at"
target="_blank" moz-do-not-send="true">dot@dotat.at</a>>
<a href="http://dotat.at/" rel="noreferrer" target="_blank"
moz-do-not-send="true">http://dotat.at/</a><br>
Southeast Iceland: Northerly 6 to gale 8, veering
northeasterly 5 to 7. Rough<br>
or very rough. Rain or wintry showers. Good, occasionally
poor.<br>
<br>
<br>
#!/usr/bin/perl<br>
<br>
use warnings;<br>
use strict;<br>
<br>
use Net::DNS::DomainName;<br>
<br>
die "usage: $0 <domain-name>\n"<br>
unless @ARGV == 1;<br>
<br>
my $text = shift;<br>
my $wire = new Net::DNS::DomainName($text)->canonical;<br>
<br>
my @wire = unpack 'C*', $wire;<br>
<br>
pop @wire unless $text =~ m{\.$};<br>
<br>
printf "'(' %s ')'\n",<br>
join ' and ',<br>
map { sprintf "udp[%d] == %d",<br>
20 + $_, $wire[$_] }<br>
0 .. $#wire;<br>
#!/usr/bin/perl<br>
<br>
use warnings;<br>
use strict;<br>
<br>
die "usage: <a href="http://tcpdump-qname.pl"
rel="noreferrer" target="_blank" moz-do-not-send="true">tcpdump-qname.pl</a>
<dns-label>\n"<br>
unless @ARGV == 1;<br>
<br>
my $name = shift;<br>
<br>
my @name = unpack 'C*', $name;<br>
<br>
printf "%s\n", join ', ', @name;<br>
<br>
_______________________________________________<br>
Please visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank"
moz-do-not-send="true">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!" </pre>
</body>
</html>