topic Re: Packet capture for specific ip like signature match in Automation/API Discussions

Packet capture for specific ip like signature match

Sly_Cooper — Wed, 01 Apr 2015 14:11:57 GMT

Hi,

I have configured DNS sinkhole feature. The sinkholing is working fine with providing and blocking fake ip. The only problem is that although I can get the original client ip connecting to the fake ip, I cannot find the payload (url/resource being requested). Is there any way I can capture packets like spyware/vulnerability etc? I checked into these objects however did not find an option of matching on destination ip address.

Re: Packet capture for specific ip like signature match

eschenburg — Wed, 08 Apr 2015 12:31:27 GMT

Hi,

I haven't tried this myself yet, but you might be able to do it based on the following article, if you have a seperate rule for the sinkhole traffic: How to Capture Traffic (PCAP) Hitting a Specific Rule

Edit: On 2nd thought, in the Anti-Spyware Profile -> DNS Signatures -> where you configure the action as 'sinkhole' there is an option to configure an extended pcap - does this not work?

Roland

Re: Packet capture for specific ip like signature match

HITSSEC — Mon, 20 Apr 2015 00:13:40 GMT

Hello Sly_Cooper,

Since most people set up a fictious IP address as their sinkhole IP address, there is no host on the other end. Any tcp traffic would not make it past the initial syn requests. In order to capture some traffic, the destination host would have to be listening on the applicable port and get past the three way handshake. The data folowing that would be what you are looking for. A sinkhole is just a destination for traffic to go to, it's main benefit is identify infected hosts based on seeing the traffic attempts to the destination IP address of the sinkhole.

Hope this helps,

Phil