Is there a way to detect if static IPs were contacted based on the network traffic (pcap files)? So basiacally, if a site/server was contacted without issuing a DNS request first?
I suppose you could check manually if there was a DNS lookup before the first instance of an ip address, but that wouldn’t account for caching.
How do you mean contacted? If it was direct to ip then there would be something in firewall logs. What are you looking for is a better question
@Dexter_Kane yeah, that’s one approach I also thought of…maybe there are others as well…
@blackfire As mentioned above I’m looking (generally) for services/servers, i.e. IPs, that were contacted with the contactor already knowing the IP. This would mean the IP is statically coded and the application doesn’t issue a DNS request.
If this Is in your network then it would require logging on the server.
You wouldn’t be able to tell from the server side if the sender used a lookup to find it.
Are you looking for caching. This is too vague for anyone to really help you.
I wanted to spare the details, but given the fact that they might lead to a better understanding of the situation I’ll provide them.
I was given (and captured myself) a network traffic dump of various Android phones. The capturing itself happened on the routers themselves, i.e. Wireshark was running on every router and it was also capturing the traffic. This means I can view every packet sent and received as long as no encryption was used.
A goal is to detect malicious traffic or traffic that leaks privacy relevant information. While I was not able to find anything (more or less) malicious I detected much unencrypted Ad/Tracking traffic.
As a follow up idea someone suggested that malware often uses static IPs to contact their server, a command and control server for instance, whereas normally applications tend to resolve the IPs by means of DNS requests.
Theoretically, I could open Wiireshark and manually write every resolved IP address on a sheet of paper and cross-reference it with the IPs contacted. The IPs left are the ones staticly added to applications (unless they were cached).
Edit: Wireshark has a Statistics>Resolved Addresses function, but I think it shows the addresses Wireshark has resolved, not the ones that were resolved in the network traffic. Furthermore, I’d need a “Unresolved Addresses” function anyway, to make things easier.
The static ip for malware is unfortunately not true. Look at wannacry. It used a hostname, it was stopped by that hostname being taken over.
If you are trying to find malicious traffic then you need to go the proxy or NGFW route from a security vendor. I can recommend a couple as thats my industry. Doing this yourself is too high a technical burden.
Ok thanks for this info then - So, practically a static IP “could” be malware, but it could also caused by various app developers and therby would be a shot in the dark? (Adb.miner uses both, hostnames and static IPs though…)
I’d like to hear your opinion on them
Yeah unfortunately as blacklists are a thing adware and malware use host names to change ip when they get rumbled.
Opendns are a good service not on site but quite good.
forcepoint make both proxy and firewall both good
Zscaler and Palo alto are also respected.
Personally I would stay away from Symante, their code base is a known issue and my dealings with their technical service is lacking until you get to t3.
Hope it helps.
There’s also dnscrypt and dns over https and various apps using variants of dht to find things, and who knows what else, all used for legitimate purposes