Nobuo Miwa
asked on
T-Pot : how to determine src IP of caught binaries
Hello,
I am trying to catch malware using T-Pot.
I caught some malware in /data/dionaea/binaries, but I don't know which IP did they come from.
Please let me know how to determine src ip of each malware(file name is MD5 hash).
regards,
Nobuo Miwa
I am trying to catch malware using T-Pot.
I caught some malware in /data/dionaea/binaries, but I don't know which IP did they come from.
Please let me know how to determine src ip of each malware(file name is MD5 hash).
regards,
Nobuo Miwa
ASKER
Thanks arnold,
But I could not find out detecting src ip from binary filename(MD5).
But I could not find out detecting src ip from binary filename(MD5).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello arnold,
Thank you for the hints.
I got src ip from sqlite log like following SQL..
select connections.connection_tim estamp,con nections.r emote_host ,connectio ns.local_p ort,downlo ads.downlo ad_md5_has h from connections,downloads where connections.connection=dow nloads.con nection and connections.local_port='44 5';
This case should be closed.
Thank you for the hints.
I got src ip from sqlite log like following SQL..
select connections.connection_tim
This case should be closed.
If this is what you deployed, http://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html
/data/EWS
Seems to be the log location.
Not sure whether detection/reporting is configurable ......