If anyone is interested I have the beginnings of a redirect/driveby
analysis policy script here:
I've only tested it on pcaps but it seems to work nicely. I image the
output is a little difficult to interpret if you don't understand what
the script is doing but I think it may be a good foundation for
something. Thoughts and feedback are welcome.
Yea this is kind of cool....in a nutshell, this adds:
dns_domain dns_uid http_uri http_domain http_uid
to your conn.log...kind of handy for tracking...thanks for this Anthony...I'll try this out full on in dev and if good go into production. I'll let you know if I run into any snags or surprises.
I’m glad you like it.
You shouldn’t plug this script directly into a production sensor without modifying it a bit. I wrote it with a very specific use case in mind: highlighting important connections in pcaps recorded in VMs that visit drive by sites.
Thanks Anthony…I’ll be careful