Redirect Chain Script

anthony_kasza1 · November 7, 2014, 4:19am

If anyone is interested I have the beginnings of a redirect/driveby
analysis policy script here:
<https://github.com/anthonykasza/scratch_pad/tree/master/redirections>.

I've only tested it on pcaps but it seems to work nicely. I image the
output is a little difficult to interpret if you don't understand what
the script is doing but I think it may be a good foundation for
something. Thoughts and feedback are welcome.

-AK

James_Lay · November 7, 2014, 5:54pm

Yea this is kind of cool....in a nutshell, this adds:

dns_domain dns_uid http_uri http_domain http_uid

to your conn.log...kind of handy for tracking...thanks for this Anthony...I'll try this out full on in dev and if good go into production. I'll let you know if I run into any snags or surprises.

James

anthony_kasza1 · November 7, 2014, 6:29pm

I’m glad you like it.
You shouldn’t plug this script directly into a production sensor without modifying it a bit. I wrote it with a very specific use case in mind: highlighting important connections in pcaps recorded in VMs that visit drive by sites.

-AK

James_Lay · November 8, 2014, 1:34am

Thanks Anthony…I’ll be careful

James

Topic		Replies	Views
[JIRA] (BIT-1286) Add policy script for Windows version detection via CryptoAPI HTTP Traffic Development development	1	66	May 6, 2022
[JIRA] (BIT-1133) topic/jsiwek/dns-perf Development development	1	90	May 6, 2022
script/cluster management practices Zeek	1	58	May 6, 2022
[Bro-Commits] [git/bro] topic/robin/master-test: Merge remote-tracking branch 'remotes/origin/topic/seth/elasticsearch' into topic/robin/master-test (eef8b7d) Development development	3	49	May 6, 2022
[Bro-Commits] [git/bro] master: Async DNS lookups may cause memleaks under certain conditions. (6c806b0) Development development	1	61	May 6, 2022

Redirect Chain Script

Related Topics