Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS without connection still has FP to solve #752

Open
AlyaGomaa opened this issue Jul 3, 2024 · 0 comments
Open

DNS without connection still has FP to solve #752

AlyaGomaa opened this issue Jul 3, 2024 · 0 comments

Comments

@AlyaGomaa
Copy link
Collaborator

AlyaGomaa commented Jul 3, 2024
edited
Loading

Slips version: 1.0.6
File: CTU-SME-11/CTU-SME-11/Experiment-VM-Linux-Ubuntu2204-1/2023-02-20/raw/2023-02-20-00-00-03-192.168.1.109.pcap
Branch: develop
Commit: b44b585

grep ads.servenobid.com alerts.log
2023-02-20T11:07:50.528144+01:00: Src IP 192.168.1.109 (project-VirtualBox). Detected domain ads.servenobid.com resolved with no connection
but there are TLS connections. so after DNS we are not checking TLS correctly

grep ads.servenobid.com zeek_files/*

zeek_files/dns.log:{"ts":1676887670.528144,"uid":"CeM7b54FHMfMDTVdBe","id.orig_h":"192.168.1.109","id.orig_p":36744,"id.resp_h":"1.1.1.1","id.resp_p":53,"proto":"udp","trans_id":56898,"rtt":0.0017821788787841797,"query":"ads.servenobid.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["54.154.15.68","52.211.37.197","52.16.42.109","34.251.247.133","3.248.146.129","34.249.209.209","54.72.140.57","63.32.229.236"],"TTLs":[55.0,55.0,55.0,55.0,55.0,55.0,55.0,55.0],"rejected":false}
zeek_files/dns.log:{"ts":1676887670.528144,"uid":"CeM7b54FHMfMDTVdBe","id.orig_h":"192.168.1.109","id.orig_p":36744,"id.resp_h":"1.1.1.1","id.resp_p":53,"proto":"udp","trans_id":56898,"rtt":0.0017821788787841797,"query":"ads.servenobid.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["54.154.15.68","52.211.37.197","52.16.42.109","34.251.247.133","3.248.146.129","34.249.209.209","54.72.140.57","63.32.229.236"],"TTLs":[55.0,55.0,55.0,55.0,55.0,55.0,55.0,55.0],"rejected":false}
zeek_files/dns.log:{"ts":1676887770.87311,"uid":"CTuw5T2vrMt0WgjXpi","id.orig_h":"192.168.1.109","id.orig_p":56835,"id.resp_h":"1.1.1.1","id.resp_p":53,"proto":"udp","trans_id":34574,"rtt":0.0020589828491210938,"query":"ads.servenobid.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["52.16.42.109","18.203.169.148","3.248.146.129","54.72.140.57","54.154.15.68","63.32.229.236","52.210.104.16","34.251.247.133"],"TTLs":[28.0,28.0,28.0,28.0,28.0,28.0,28.0,28.0],"rejected":false}
zeek_files/dns.log:{"ts":1676887770.87311,"uid":"CTuw5T2vrMt0WgjXpi","id.orig_h":"192.168.1.109","id.orig_p":56835,"id.resp_h":"1.1.1.1","id.resp_p":53,"proto":"udp","trans_id":34574,"rtt":0.0020589828491210938,"query":"ads.servenobid.com","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["52.16.42.109","18.203.169.148","3.248.146.129","54.72.140.57","54.154.15.68","63.32.229.236","52.210.104.16","34.251.247.133"],"TTLs":[28.0,28.0,28.0,28.0,28.0,28.0,28.0,28.0],"rejected":false}
zeek_files/ssl.log:{"ts":1676887670.75272,"uid":"Cftrx1w0SWNLTkJnc","id.orig_h":"192.168.1.109","id.orig_p":53574,"id.resp_h":"54.154.15.68","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","server_name":"ads.servenobid.com","resumed":false,"next_protocol":"h2","established":true,"ssl_history":"CsxknGIti","cert_chain_fps":["176443dc021dc21c5efdfe922e7b2395acba0c30e516361e0e9e1da9599be984","b0f330a31a0c50987e1c3a7bb02c2dda682991d3165b517bd44fba4a6020bd94","87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706","28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996"],"client_cert_chain_fps":[],"sni_matches_cert":true,"ja3":"579ccef312d18482fc42e2b822ca2430","ja3s":"8d2a028aa94425f76ced7826b1f39039","is_DoH":false}
zeek_files/ssl.log:{"ts":1676887688.440106,"uid":"CVb3jM3yNm5PErQOUl","id.orig_h":"192.168.1.109","id.orig_p":60902,"id.resp_h":"54.154.15.68","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","server_name":"ads.servenobid.com","resumed":false,"next_protocol":"h2","established":true,"ssl_history":"CsxknGIti","cert_chain_fps":["176443dc021dc21c5efdfe922e7b2395acba0c30e516361e0e9e1da9599be984","b0f330a31a0c50987e1c3a7bb02c2dda682991d3165b517bd44fba4a6020bd94","87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706","28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996"],"client_cert_chain_fps":[],"sni_matches_cert":true,"ja3":"579ccef312d18482fc42e2b822ca2430","ja3s":"8d2a028aa94425f76ced7826b1f39039","is_DoH":false}
zeek_files/x509.log:{"ts":1676887670.79129,"fingerprint":"176443dc021dc21c5efdfe922e7b2395acba0c30e516361e0e9e1da9599be984","certificate.version":3,"certificate.serial":"052A425676CBC9FEA97E98DA463CD6A8","certificate.subject":"CN=ads.servenobid.com","certificate.issuer":"CN=Amazon RSA 2048 M02,O=Amazon,C=US","certificate.not_valid_before":1675897200.0,"certificate.not_valid_after":1687903199.0,"certificate.key_alg":"rsaEncryption","certificate.sig_alg":"sha256WithRSAEncryption","certificate.key_type":"rsa","certificate.key_length":2048,"certificate.exponent":"65537","san.dns":["ads.servenobid.com","events.servenobids.com","events-ireland.servenobids.com","ads-ireland.servenobid.com"],"basic_constraints.ca":false,"host_cert":true,"client_cert":false}

Created by Alya Gomaa via monday.com integration. 🎉
@AlyaGomaa AlyaGomaa added this to Slips Jul 12, 2024
@github-project-automation github-project-automation bot moved this to Todo in Slips Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Slips
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlyaGomaa