notebook.community

Edit and run

Download from Suspicious Dyndns Hosts

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Rule Content

- title: Download from Suspicious Dyndns Hosts
  id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
  status: experimental
  description: Detects download of certain file types from hosts with dynamic DNS
    names (selected list)
  references:
  - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
  author: Florian Roth
  date: 2017/11/08
  logsource:
    category: proxy
    product: null
    service: null
  detection:
    selection:
      c-uri-extension:
      - exe
      - vbs
      - bat
      - rar
      - ps1
      - doc
      - docm
      - xls
      - xlsm
      - pptm
      - rtf
      - hta
      - dll
      - ws
      - wsf
      - sct
      - zip
      r-dns:
      - '*.hopto.org'
      - '*.no-ip.org'
      - '*.no-ip.info'
      - '*.no-ip.biz'
      - '*.no-ip.com'
      - '*.noip.com'
      - '*.ddns.name'
      - '*.myftp.org'
      - '*.myftp.biz'
      - '*.serveblog.net'
      - '*.servebeer.com'
      - '*.servemp3.com'
      - '*.serveftp.com'
      - '*.servequake.com'
      - '*.servehalflife.com'
      - '*.servehttp.com'
      - '*.servegame.com'
      - '*.servepics.com'
      - '*.myvnc.com'
      - '*.ignorelist.com'
      - '*.jkub.com'
      - '*.dlinkddns.com'
      - '*.jumpingcrab.com'
      - '*.ddns.info'
      - '*.mooo.com'
      - '*.dns-dns.com'
      - '*.strangled.net'
      - '*.adultdns.net'
      - '*.craftx.biz'
      - '*.ddns01.com'
      - '*.dns53.biz'
      - '*.dnsapi.info'
      - '*.dnsd.info'
      - '*.dnsdynamic.com'
      - '*.dnsdynamic.net'
      - '*.dnsget.org'
      - '*.fe100.net'
      - '*.flashserv.net'
      - '*.ftp21.net'
      - '*.http01.com'
      - '*.http80.info'
      - '*.https443.com'
      - '*.imap01.com'
      - '*.kadm5.com'
      - '*.mysq1.net'
      - '*.ns360.info'
      - '*.ntdll.net'
      - '*.ole32.com'
      - '*.proxy8080.com'
      - '*.sql01.com'
      - '*.ssh01.com'
      - '*.ssh22.net'
      - '*.tempors.com'
      - '*.tftpd.net'
      - '*.ttl60.com'
      - '*.ttl60.org'
      - '*.user32.com'
      - '*.voip01.com'
      - '*.wow64.net'
      - '*.x64.me'
      - '*.xns01.com'
      - '*.dyndns.org'
      - '*.dyndns.info'
      - '*.dyndns.tv'
      - '*.dyndns-at-home.com'
      - '*.dnsomatic.com'
      - '*.zapto.org'
      - '*.webhop.net'
      - '*.25u.com'
      - '*.slyip.net'
    condition: selection
  fields:
  - cs-ip
  - c-uri
  falsepositives:
  - Software downloads
  level: medium

Querying Elasticsearch

Import Libraries





In [ ]:



    


from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client





In [ ]:



    


es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query





In [ ]:



    


s = searchContext.query('query_string', query='(c-uri-extension:("exe" OR "vbs" OR "bat" OR "rar" OR "ps1" OR "doc" OR "docm" OR "xls" OR "xlsm" OR "pptm" OR "rtf" OR "hta" OR "dll" OR "ws" OR "wsf" OR "sct" OR "zip") AND r-dns.keyword:(*.hopto.org OR *.no\-ip.org OR *.no\-ip.info OR *.no\-ip.biz OR *.no\-ip.com OR *.noip.com OR *.ddns.name OR *.myftp.org OR *.myftp.biz OR *.serveblog.net OR *.servebeer.com OR *.servemp3.com OR *.serveftp.com OR *.servequake.com OR *.servehalflife.com OR *.servehttp.com OR *.servegame.com OR *.servepics.com OR *.myvnc.com OR *.ignorelist.com OR *.jkub.com OR *.dlinkddns.com OR *.jumpingcrab.com OR *.ddns.info OR *.mooo.com OR *.dns\-dns.com OR *.strangled.net OR *.adultdns.net OR *.craftx.biz OR *.ddns01.com OR *.dns53.biz OR *.dnsapi.info OR *.dnsd.info OR *.dnsdynamic.com OR *.dnsdynamic.net OR *.dnsget.org OR *.fe100.net OR *.flashserv.net OR *.ftp21.net OR *.http01.com OR *.http80.info OR *.https443.com OR *.imap01.com OR *.kadm5.com OR *.mysq1.net OR *.ns360.info OR *.ntdll.net OR *.ole32.com OR *.proxy8080.com OR *.sql01.com OR *.ssh01.com OR *.ssh22.net OR *.tempors.com OR *.tftpd.net OR *.ttl60.com OR *.ttl60.org OR *.user32.com OR *.voip01.com OR *.wow64.net OR *.x64.me OR *.xns01.com OR *.dyndns.org OR *.dyndns.info OR *.dyndns.tv OR *.dyndns\-at\-home.com OR *.dnsomatic.com OR *.zapto.org OR *.webhop.net OR *.25u.com OR *.slyip.net))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results





In [ ]:



    


df.head()

Content source: Cyb3rWard0g/HELK

Similar notebooks:

notebook.community | gallery | about