search

stratosphereips / StratosphereLinuxIPS

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.
Other
692 stars 169 forks source link

DNS without connection still has FP to solve #752

Open AlyaGomaa opened 3 months ago

AlyaGomaa commented 3 months ago

Slips version: 1.0.6 File: CTU-SME-11/CTU-SME-11/Experiment-VM-Linux-Ubuntu2204-1/2023-02-20/raw/2023-02-20-00-00-03-192.168.1.109.pcap Branch: develop Commit: b44b585a68a4e2d3670dc03337b1e4671a2464ad

grep ads.servenobid.com alerts.log 2023-02-20T11:07:50.528144+01:00: Src IP 192.168.1.109 (project-VirtualBox). Detected domain ads.servenobid.com resolved with no connection but there are TLS connections. so after DNS we are not checking TLS correctly

grep ads.servenobid.com zeek_files/*

zeek_files/dns.log:{"ts":1676887670.528144,"uid":"CeM7b54FHMfMDTVdBe","id.orig_h":"192.168.1.109","id.orig_p":36744,"id.resp_h":"1.1.1.1","id.resp_p":53,"proto":"udp","trans_id":56898,"rtt":0.0017821788787841797,"query":"ads.servenobid.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["54.154.15.68","52.211.37.197","52.16.42.109","34.251.247.133","3.248.146.129","34.249.209.209","54.72.140.57","63.32.229.236"],"TTLs":[55.0,55.0,55.0,55.0,55.0,55.0,55.0,55.0],"rejected":false}
zeek_files/dns.log:{"ts":1676887670.528144,"uid":"CeM7b54FHMfMDTVdBe","id.orig_h":"192.168.1.109","id.orig_p":36744,"id.resp_h":"1.1.1.1","id.resp_p":53,"proto":"udp","trans_id":56898,"rtt":0.0017821788787841797,"query":"ads.servenobid.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["54.154.15.68","52.211.37.197","52.16.42.109","34.251.247.133","3.248.146.129","34.249.209.209","54.72.140.57","63.32.229.236"],"TTLs":[55.0,55.0,55.0,55.0,55.0,55.0,55.0,55.0],"rejected":false}
zeek_files/dns.log:{"ts":1676887770.87311,"uid":"CTuw5T2vrMt0WgjXpi","id.orig_h":"192.168.1.109","id.orig_p":56835,"id.resp_h":"1.1.1.1","id.resp_p":53,"proto":"udp","trans_id":34574,"rtt":0.0020589828491210938,"query":"ads.servenobid.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["52.16.42.109","18.203.169.148","3.248.146.129","54.72.140.57","54.154.15.68","63.32.229.236","52.210.104.16","34.251.247.133"],"TTLs":[28.0,28.0,28.0,28.0,28.0,28.0,28.0,28.0],"rejected":false}
zeek_files/dns.log:{"ts":1676887770.87311,"uid":"CTuw5T2vrMt0WgjXpi","id.orig_h":"192.168.1.109","id.orig_p":56835,"id.resp_h":"1.1.1.1","id.resp_p":53,"proto":"udp","trans_id":34574,"rtt":0.0020589828491210938,"query":"ads.servenobid.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["52.16.42.109","18.203.169.148","3.248.146.129","54.72.140.57","54.154.15.68","63.32.229.236","52.210.104.16","34.251.247.133"],"TTLs":[28.0,28.0,28.0,28.0,28.0,28.0,28.0,28.0],"rejected":false}
zeek_files/ssl.log:{"ts":1676887670.75272,"uid":"Cftrx1w0SWNLTkJnc","id.orig_h":"192.168.1.109","id.orig_p":53574,"id.resp_h":"54.154.15.68","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","server_name":"ads.servenobid.com","resumed":false,"next_protocol":"h2","established":true,"ssl_history":"CsxknGIti","cert_chain_fps":["176443dc021dc21c5efdfe922e7b2395acba0c30e516361e0e9e1da9599be984","b0f330a31a0c50987e1c3a7bb02c2dda682991d3165b517bd44fba4a6020bd94","87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706","28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996"],"client_cert_chain_fps":[],"sni_matches_cert":true,"ja3":"579ccef312d18482fc42e2b822ca2430","ja3s":"8d2a028aa94425f76ced7826b1f39039","is_DoH":false}
zeek_files/ssl.log:{"ts":1676887688.440106,"uid":"CVb3jM3yNm5PErQOUl","id.orig_h":"192.168.1.109","id.orig_p":60902,"id.resp_h":"54.154.15.68","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","server_name":"ads.servenobid.com","resumed":false,"next_protocol":"h2","established":true,"ssl_history":"CsxknGIti","cert_chain_fps":["176443dc021dc21c5efdfe922e7b2395acba0c30e516361e0e9e1da9599be984","b0f330a31a0c50987e1c3a7bb02c2dda682991d3165b517bd44fba4a6020bd94","87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706","28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996"],"client_cert_chain_fps":[],"sni_matches_cert":true,"ja3":"579ccef312d18482fc42e2b822ca2430","ja3s":"8d2a028aa94425f76ced7826b1f39039","is_DoH":false}
zeek_files/x509.log:{"ts":1676887670.79129,"fingerprint":"176443dc021dc21c5efdfe922e7b2395acba0c30e516361e0e9e1da9599be984","certificate.version":3,"certificate.serial":"052A425676CBC9FEA97E98DA463CD6A8","certificate.subject":"CN=ads.servenobid.com","certificate.issuer":"CN=Amazon RSA 2048 M02,O=Amazon,C=US","certificate.not_valid_before":1675897200.0,"certificate.not_valid_after":1687903199.0,"certificate.key_alg":"rsaEncryption","certificate.sig_alg":"sha256WithRSAEncryption","certificate.key_type":"rsa","certificate.key_length":2048,"certificate.exponent":"65537","san.dns":["ads.servenobid.com","events.servenobids.com","events-ireland.servenobids.com","ads-ireland.servenobid.com"],"basic_constraints.ca":false,"host_cert":true,"client_cert":false}

Created by Alya Gomaa via monday.com integration. 🎉