Bro Script: Hardcoded IP addresses

Question

Ich have one assignment and I need a little help. I have infected.pcap and the following task:

Hardcoded IP addresses Sometimes, malware contains hardcoded IP addresses to download their payload or to communicate with their command and control (C&C) server. Find all such communication. Hint: Such IPs have no preceding DNS request.

I need to solve it with Bro script. This was my idea, but unfortunatelly all my connections have no DNS request:

    @load base/protocols/dns/main.bro
event file_timeout(f: fa_file)
    {
    for ( cid in f$conns )
        {
    if(f$conns[cid]?$dns){
        print f$conns[cid]$dns; 
        print "DNS";
    }else {
        print "No DNS";
    }
        }
    }

Do you know maybe what is wrong with my code?

Just wondering if I'm wasting my time having answered this question... Was the answer helpful for you? — David Hoelzer, Dec 28 '17 at 13:17
Hey, sorry, I didn't try it yet. I will try your tip in one week. — Neda, Jan 01 '18 at 22:32
Thanks. Honestly, I'm going to write pretty much the same script. It's a useful thing to monitor for. — David Hoelzer, Jan 01 '18 at 23:13

score 0 · Accepted Answer · answered Dec 21 '17 at 16:18

I would suggest that you're using the wrong event for this. The file_timeout only occurs if a file transfer was occurring and then stopped without completing. A much more interesting event correlation would be:

Track DNS address lookup responses (I would likely use event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)).
Record the addresses returned in a set; this will provide you a set of all addresses that were discovered through a DNS query.
Examine outbound requests (where orig_h on the SYN is an internal address)
Check to see if the address in id$resp_h is in the set of addresses step 2. If it is, return, if it isn't, generate a notice since you have an outbound connection attempt with no corresponding DNS lookup.

Bro Script: Hardcoded IP addresses

1 Answers1

Linked