-
|
Hi, Few days ago I've listed to the SANS Daily Network Security Podcast in which Johannes Ullrich talked about Raccoon Stealer: “Trash panda” abuses Telegram . Johannes continued his summary with a very good advice - " The URLs here appeared to be just IP addresses, not hostnames. A zeek script detecting outbound connections to IP addresses that did not get returned as DNS responses... something good to have." I followed this idea and looked for such scripts available, but I only found this article by David Hoelzer: Zeek Correlations: Outbound Connections: Have anyone in the community have something like this in-place utilizing zeek ? Cheers, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Besides the Zeek script in the article, another option might be to leverage the |
Beta Was this translation helpful? Give feedback.
Besides the Zeek script in the article, another option might be to leverage the
http.dottedquadhostrules that are already in the Emerging Threats NIDS ruleset.