T-Pot : how to determine src IP of caught binaries


I am trying to catch malware using T-Pot.
I caught some malware in /data/dionaea/binaries, but I don't know which IP did they come from.

Please let me know how to determine src ip of each malware(file name is MD5 hash).

Nobuo Miwa
Nobuo MiwaSecurity EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Commonly, a log should exist that identifies the binary and its source.

If this is what you deployed, http://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html

Seems to be the log location.

Not sure whether detection/reporting is configurable ......
Nobuo MiwaSecurity EngineerAuthor Commented:
Thanks arnold,

But I could not find out detecting src ip from binary filename(MD5).
What logging options do you set? What log entries do you see?
It could be the IPs are reported in hex format from 00000000-ffffffff equivalent to
It could be the data is in combination of log files.
grab a couple of lines from each log file you have and post the text, let's see if a pattern can be seen/developed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nobuo MiwaSecurity EngineerAuthor Commented:
Hello arnold,

Thank you for the hints.

I got src ip from sqlite log like following SQL..

select connections.connection_timestamp,connections.remote_host,connections.local_port,downloads.download_md5_hash from connections,downloads where connections.connection=downloads.connection and connections.local_port='445';

This case should be closed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.