Hello and welcome to the Tuesday, November 14th, 2020,

edition of the San Antonio Storm Center's Stormcast.

My name is Johannes Ulrich.

And today'm recording from Jacksonville, Florida.

Manuel today wrote a quick reminder that's, well, also one of my favorite topics,

DNS logs and how important they are

to detect intrusions. In particular, Manuel here is looking at the command control channels

that often use sort of some custom made-up names that the attacker registered. Now, yes, you have some sophisticated attackers that try to mimic specific well-known domain names

and try to kind of fly under the radar that way.

But quite often attackers are using essentially sort of random strings of letters and numbers in order to use these names

then as a domain name for their command and control channel. That of course is not that

difficult to spot what Manuel here is doing is looking at the frequency distribution of letters,

which prioritizes these random host names

because they usually have few duplicates,

and with that, you know, is able, in this case,

to spot pretty quickly and pretty easily relevant domain name.

Now, just one little trick here that Manuel isn't mentioning, if you do want to extract

things like, you know, here IP addresses and host names or domain names from a file like

this, from a PCAP, if you don't have an existing tool, it actually T-Shark works really well for this if you just want to

extract the relevant fields. Take a look at the dash capital T and then fields option and then you

can just list individual fields. And then we have a somewhat concerning paper about the security

of SSH from four researchers at the University of California, San Diego.

...