Hello, welcome to the Monday, October 28, 2019 edition of the San San Antonio Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Santa Monica, California.

If you got an interesting detect that Guy wrote up this weekend, these are requests to his honeypots that do include a somewhat unusual

BS underscore real underscore IP header.

Now first of all, it's somewhat unusual to have headers with underscores instead of dashes

in them, and then secondly, this particular content was double Bay 64 encoded.

Now, once they coded, it revealed two IP addresses. One of the IP addresses was the source of

the traffic. The second one, well, not really clear what it does, but appears to be a scanner

for web servers. So what's possibly happening here is that this is some kind of proxy chain

that keeps adding IP addresses and probably each time sort of base 64 encoding this particular

header.

Quick Google search showed that this header was seen the first time about a year ago.

Like last September was of the earliest entry that I found, but couldn't link it to a particular

tool.

If anybody knows, please share.

And Rob wrote a diary talking about how to parse DNS logs in a Windows environment.

So first of all, how to enable the logging on your Windows DNS server, and then how to use

PowerShell to parse the logs.

Interestingly, in the example that he found, he did run into some odd issues, odd DNS requests

from a switch, and that switch may actually have been infected, but that particular part

of the investigation is still outstanding.

...