StratosphereLinuxIPS icon indicating copy to clipboard operation
StratosphereLinuxIPS copied to clipboard
verified publisher icon stratosphereips

Connection without DNS is still not working properly

Open eldraco opened this issue 1 year ago • 2 comments

Describe the bug In captures to IPs that were resolved with DNS resolution, Slips still detects some of them as 'without DNS'.

To Reproduce Steps to reproduce the behavior:

  1. Go to branch origin/alya/migration_to_python3.10.12 (commit 88c210b)

  2. Use capture https://mcfp.felk.cvut.cz/publicDatasets/CTU-Mixed-Capture-9-1/2017-08-17_capture.pcap

  3. Use default configuration. We did not wait for TI to be downloaded.

  4. ./slips.py -e 1 -f 2017-08-17_capture.pcap

  5. Evidence are:

    1970-01-01T00:00:30.043784+00:00 (TW 1): Src IP 10.0.2.15 . Detected A connection without DNS resolution to IP: 195.113.232.73 AS: CESNET2, CZ AS2852 rDNS: a195-113-232-73.deploy.akamaitechnologies.com threat level: info.

    1970-01-01T00:01:20.291812+00:00 (TW 1): Src IP 10.0.2.15 . Detected A connection without DNS resolution to IP: 195.113.232.73 AS: CESNET2, CZ AS2852 rDNS: a195-113-232-73.deploy.akamaitechnologies.com threat level: info.

But in the pcap you can see that that IP was resolved:

1970-01-01 01:00:30.037934 IP 10.0.2.15.59465 > 147.32.80.9.53: 7449+ A? www.msftncsi.com. (34) E..>.#....KT .... P .I.5.*...............www.msftncsi.com..... 1970-01-01 01:00:30.042806 IP 147.32.80.9.53 > 10.0.2.15.59465: 7449 4/9/9 CNAME www.msftncsi.com.edgesuite.net., CNAME a1961.g2.akamai.net., A 195.113.232.73, A 195.113.232.75 (467)

Expected behavior To recognize that the IP was resolved and not generate this evidence

Branch origin/alya/migration_to_python3.10.12 (commit 88c210b)

Environment (please complete the following information):

  • OS: Linux
  • Python version 3.10.12
  • Are you running slips in docker? yes
  • Docker version (if running slips in docker) Docker version 27.0.3, build 7d4bcd8
  • Slips docker image used (if running slips in docker) ubuntu-image

eldraco avatar Jul 24 '24 10:07 eldraco

I did:

  cmd = "true"
  full_bin = "make run"
  • cmd kind of needs to succeed, so let's fake a build.
  • while full_bin runs make run which can be anything, for example go run main.go

full_bin - Customize binary, can setup environment variables when run your app.

michalb-goflink avatar Aug 28 '24 13:08 michalb-goflink

@michalb-goflink Cool bro! Very grateful to your work.

When night i will try to it, I hope it works for me.

uiosun avatar Aug 30 '24 07:08 uiosun

The only downside I found is that full_bin command does not seem to be gracefully terminated. But that is no real issue in my code

michalb-goflink avatar Aug 30 '24 07:08 michalb-goflink