Closed lucaderi closed 3 years ago
Use https://www.malware-traffic-analysis.net/2020/12/07/index.html with 2020-12-07-Qakbot-with-Cobalt-Strike-and-spambot-activity.pcap.zip for reproducing it
This ticket will trigger an alert on a host that will stay open and will be automatically acknowledged once #4293 will be implemented.
I see several issue in the current code
Hi @MatteoBiscosi in my tests the outcome is correct.
Hi @martinscheu , great! thank you for your feedback.
One of the core Internet principles is that some basic services such as NTP server, NTP server, printers.... is limited. This means for instance that unless a host is a SMTP server, the number of SMTP servers a host can contact is limited to a few hosts (<5 let's say). In the example below this host has contacted 150+ SMTP servers and this is clearly a problem.
It is requested to create a plugin that can monitor NTP, SMTP, DNS (more will follow), set a threshold on each of them, server connections. This is gonna be a host script.