I was reading this article (http://www.technologyreview.com/computing/37311/?p1=MstRcnt&a=f) about spotting botnet command & control boxes. It seems to me you could also use the wireshark filter: dns.flags.rcode == 3 If you received a lot of failures as this filter should show, that would warrant further investigation. Thoughts anyone? asked 19 Apr '11, 05:51  RobertM edited 19 Apr '11, 05:52 |
One Answer:
I assume that your referring to the study published by Texas A&M University at http://www.ee.tamu.edu/~reddy/papers/imc2010-yadav.pdf IMHO Wireshark is a tool to analyze generic network traffic and not a tool to detect botnet C&C traffic. Detecting - and stopping - this traffic would more be a job for an intrusion detection / prevention system. Alas, detecting C&C traffic is not that easy: We found malicious and c&c traffic also in ICMP, HTTP, and other protocols. Just relying on the display filter dns.flags.rcode == 3 delivers a bunch of false positives, if you look for C&C traffic. About every network with Windows workstations will generate a ton of queries for hostnames like WPAD (possibly multiple queries when name devolution is used). DNS return code 3 can also be seen in large quantities for queries to spamhaus.org or a hashserver at trendmicro.com. To me these queries (or the return codes) are nothing to worry about. Any other ideas? answered 20 Apr '11, 11:31  packethunter |
I fully understand your position, packethunter and I agree. I only mentioned this as an example that if you were getting a lot (let's say over 20) failed dns responses in a short amount of time from one machine in your network, that might alert an administrator to a possible(!) infection that would warrant looking into the errors further. I didn't mean to suggest using wireshark as a IDS or IPS. I suggested its use as another tool in hunting down C&C in your network.
Sure. Wireshark is an excellent tool if you know what you are looking for.
Just remember that there are several techniques to sneak information through all security mechanisms that can be purchased for money.
Unfortunately we don't have a button like "find all problems" - yet.
Keep on hunting!