[Bro] DNS alert for CryptoLocker?
anthony kasza
anthony.kasza at gmail.com
Wed Nov 6 08:02:14 PST 2013
I wrote this: https://github.com/anthonykasza/nxes
It's not exactly what you're looking to do, as it doesn't make use of the
SumStats framework. Hopefully you still find it helpful.
-AK
On Nov 6, 2013 7:41 AM, "Tyler T. Schoenke" <tyler.schoenke at colorado.edu>
wrote:
> So I don’t have to reinvent the wheel, does anyone have a script to alert
> when a bunch of DNS nxdomain response codes are returned? We had a
> CryptoLocker infected system. Here is a snippet of the DNS queries it was
> performing. I assume the script will be fairly trivial to write with the
> new metrics framework.
>
>
>
> 1382548938.833528 GMCxsRbK0Ai 128.x.y.z 58872 128.a.b.c
> 53 udp 11849 ndqycnknvoouv.net 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382548944.705308 gNc8acns5pe 128.x.y.z 57136 128.a.b.c
> 53 udp 29248 hcanlyoattqnk.info 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382548947.922531 2wQ3L1SjO2i 128.x.y.z 55438 128.a.b.c
> 53 udp 37701 pggqvjlpjuvfj.biz 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382548950.164884 K6SBCLsCeHd 128.x.y.z 62257 128.a.b.c
> 53 udp 27109 rkvrpstomducl.org 1 C_INTERNET
> 1 A - - F F T F 0
> - - F
>
> 1382548952.804004 A3cpzxeprDd 128.x.y.z 62188 128.a.b.c
> 53 udp 19436 xdlmipcfinsnx.info 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382548953.848624 oFpUoyQaeT6 128.x.y.z 58160 128.a.b.c
> 53 udp 64315 yskkfkmsvjyjh.com 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382548956.153981 42MqOejLeC7 128.x.y.z 61254 128.a.b.c
> 53 udp 25859 bwalyturyrxgh.biz 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382548960.964978 iwlngihsWR2 128.x.y.z 59060 128.a.b.c
> 53 udp 49446 wfffkyemceall.info 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382548965.228544 BSHfNWkQmN2 128.x.y.z 50542 128.a.b.c
> 53 udp 64599 gxfbvapxgjhhwir.ru 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382548966.392850 AL4jDt0K4Bl 128.x.y.z 65068 128.a.b.c
> 53 udp 60778 pbxksllrmivxhjc.org 1 C_INTERNET
> 1 A - - F F T F 0
> - - F
>
> 1382548998.923970 hvrkgMU1nj9 128.x.y.z 64366 128.a.b.c
> 53 udp 58017 - - - - - 0
> NOERROR F F F T 0
> 212.71.250.4,212.71.250.4 0.000000,0.000000 F
>
> 1382549001.210921 F0wHtNhVKQj 128.x.y.z 53692 128.a.b.c
> 53 udp 18268 eijwmsocubkbifr.com 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549004.587866 dupMP8ecnh9 128.x.y.z 65102 128.a.b.c
> 53 udp 55272 - - - - - 3
> NXDOMAIN F F F F 0 - - F
>
> 1382549005.590564 8hHrrWK3ySg 128.x.y.z 53233 128.a.b.c
> 53 udp 49644 csnrwkgpneybfdw.org 1 C_INTERNET
> 1 A - - F F T F 0
> - - F
>
> 1382549008.355729 2zHHnrpDv94 128.x.y.z 49268 128.a.b.c
> 53 udp 48578 yxhlnnrvnxwhvjb.info 1 C_INTERNET
> 1 A - - F F T F 0
> - - F
>
> 1382549009.401946 XGYKkM7TJHb 128.x.y.z 58084 128.a.b.c
> 53 udp 21374 ypqijlryiuibvra.com 1 C_INTERNET
> 1 A - - F F T F 0
> - - F
>
> 1382549011.483780 jPbHypWQKyh 128.x.y.z 56556 128.a.b.c
> 53 udp 38615 gfidmpcvtbjipor.biz 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549014.515443 ndy7OcvfED 128.x.y.z 49785 128.a.b.c
> 53 udp 11355 - - - - - 3
> NXDOMAIN F F F F 0 - - F
>
> 1382549015.564495 qkrQfYjmd8g 128.x.y.z 64433 128.a.b.c
> 53 udp 45 - - - - - 0
> NOERROR F F F T 0
> 212.71.250.4,212.71.250.4 0.000000,0.000000 F
>
> 1382549017.104583 bQbmeVq6PSl 128.x.y.z 60956 128.a.b.c
> 53 udp 21595 epmydibaismctwn.info 1 C_INTERNET
> 1 A - - F F T F 0
> - - F
>
> 1382549020.276359 ZyCXQrFDUie 128.x.y.z 58936 128.a.b.c
> 53 udp 45237 taxkcsutphxwues.biz 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549021.295831 DDxa09moudg 128.x.y.z 51396 128.a.b.c
> 53 udp 14981 ooqydautbpucsxk.ru 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549024.077917 utOUlYH43La 128.x.y.z 61588 128.a.b.c
> 53 udp 33615 - - - - - 0
> NOERROR F F F T 0 212.71.250.4
> 0.000000 F
>
> 1382549026.376626 7NYXLG3zOJ4 128.x.y.z 52200 128.a.b.c
> 53 udp 30833 myuutstxphxvlmn.com 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549028.599961 MBxVPKOcOl3 128.x.y.z 58592 128.a.b.c
> 53 udp 49290 ohfvyihiguvwuxp.biz 1 C_INTERNET
> 1 A - - F F T F 0
> - - F
>
> 1382549031.847178 vD02D08eII4 128.x.y.z 61924 128.a.b.c
> 53 udp 23377 shocdnhyfmdfsoj.co.uk 1 C_INTERNET
> 1 A - - F F T F 0 -
> - F
>
> 1382549034.478314 n3WCj7AlLU2 128.x.y.z 60108 128.a.b.c
> 53 udp 33753 tmyedwcqvvykcjj.com 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549036.575201 caR4StggyDa 128.x.y.z 52132 128.a.b.c
> 53 udp 4039 oxsaegepxdvieuh.biz 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549037.595521 OgiZzasfva3 128.x.y.z 52622 128.a.b.c
> 53 udp 49144 cbcrkxjuurixfpe.ru 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549038.784184 fbHvNBwyQr6 128.x.y.z 65484 128.a.b.c
> 53 udp 51376 pddcepyhomrngqq.org 1 C_INTERNET
> 1 A 3 NXDOMAIN F F T F
> 0 - - F
>
> 1382549039.995781 MdZxaa06IYh 128.x.y.z 56073 128.a.b.c
> 53 udp 1505 novnagkvsgbfbvv.co.uk 1 C_INTERNET
> 1 A 0 NOERROR F F T T 0
> 212.71.250.4,212.71.250.4 0.000000,0.00000
>
>
>
>
>
> Thanks,
>
>
>
> Tyler
>
>
>
>
>
> --
>
> --
>
> Tyler Schoenke
>
> Network Security Program Manager
>
> IT Security Office
>
> University of Colorado at Boulder
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131106/b6231a5c/attachment.html
More information about the Bro
mailing list