Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Analyzing outgoing network traffic (part 2) SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing outgoing network traffic (part 2)

Last week I posted a diary about analyzing outgoing network traffic and asked our readers to comment what data sources they use when monitoring outbound connections our users establish.

Besides the sources I listed in the original diary we got quite a few comments and some good questions, so I’m combining all these in this, second, diary:

These include the lists I verified in the mean time – for more check comments in the first diary.

One of our readers, Arnim, also asked about a potentially very useful list of IP addresses belonging to remote access services such as LogMeIn, NetViewer and similar. I’m not aware of such a list but it would be very useful. Emerging Threat’s has something similar – a list of outgoing ToR nodes but that only helps you figure out if someone that visited your network used ToR. The list is available at http://rules.emergingthreats.net/open/suricata/rules/tor.rules

Thanks to everyone that submitted their comments, including Christian, Ben, Arnim, Hal, Matt, Brent and many others.

 

--
Bojan
INFIGO IS

 

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Brussels February 2020

Bojan

384 Posts
ISC Handler
Hi,

I hope this will be helpful http://callbackdomains.wordpress.com/
Here daily i will be posting only Malware Callback Domains and IPs.
They are extracted from behaviour analysis of malware samples and filtered based on heuristics removing the legitimate domains/IPs.

Any hit to those IPs or domains is a confirmed malware infection.
You can validate them by googling the domain/IP on internet.
Anonymous
@Uma: That looks like a useful resource for automatic firewall/IDP maintenance. Are the lists available in a more-easily-usable downloadable file format so that we don't have to write a blog scraper to get updates?
John Hardin

62 Posts
You can get the list from malwaredomainlist via this link:
http://www.malwaredomainlist.com/hostslist/hosts.txt
Rod

6 Posts
@John
sure, i will do it by next week
Rod
2 Posts
You can find an overview of the downloadable lists at malwaredomainlist.com here:
http://www.malwaredomainlist.com/forums/index.php?topic=3270.0
patermann

35 Posts

Sign Up for Free or Log In to start participating in the conversation!