Hello and welcome to the Tuesday, January 24th, 2003 edition of the Sandstone at Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

So again, today's diary, is answering a question that I have been often asked, and there really hasn't been sort of an easy answer necessarily for that question.

And that's which process on a Linux host did resolve a particular host name.

You may have, for example, some DNS logs that indicate that a certain system in your network did resolve

a suspicious host name, but now you try to figure out which process it was on that system.

For example, a mail server. A lot of mail servers, for example, as part of receiving email,

will resolve various host names

that they receive email from,

just for spam lookup and such.

Well, it can be difficult to distinguish

those lookups from maybe some kind of backdoor

or so being installed on that same mail server. Now, Xavier here is using a little bit of a cheat kind of backdoor or so being installed on that same mail server.

Now, Xavier here is using a little bit of a cheat kind of in that he uses Sysmon.

Sysmon usually use it for Windows, but has also been available for Linux now for a while.

And Sysmon is able to not just log DNS queries on a host, but also

which process actually triggered the DNS query. And then once you sort of have the process

identified, you can also use S-trace in order to then dump more information about the particular network activity and, well, but in order to then dump more information about the particular network activity.

And, well, but in order to do that, you typically first want to know what process ID to actually follow

because Estrease itself can output quite a ton of data.

As usual, you'll find more details in Xavier's diary. And then we got

updates for everything from Apple. Apple updated iOS, iPad OS, watchOS, and MacOS as well as Safari. Now now it didn't just update the latest versions of these

...