Skip to content
This repository has been archived by the owner on Dec 1, 2021. It is now read-only.
/ c2finder Public archive

Look for un-sinkholed C&C IPs in your Bro logs (from Bambanek Consulting C&C master list)

License

GPL-3.0 license
4 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mellow-hype/c2finder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
c2finder.py
c2finder.py
 
 
grepper.sh
grepper.sh
 
 

Repository files navigation

c2finder

Mandatory disclaimer: I am not a master coder by any means, so this is a very simple script. Do not rely on this to be perfect. I am open to feedback or ideas for improvements, though :)

Description

This script downloads the master C&C list from Bambanek Consulting (http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt), parses it, and searches through Bro logs for occurences of the C&C IPs. It saves the Bro entries that contained the C&C IPs to separate files for each IP and saves it's own output to a log file named in the format c2finder_[date].log.

Usage Examples

./c2finder.py bro/logs/current/dns
./c2finder.py bro/logs/current/http
./c2finder.py bro/logs/current/files

Modifying bro-cut fields

The script is preconfigured with some basic bro-cut selections. If you would like to search in different fields or get other fields in your logs, it's as easy as modifying the commands in the BROCUT dictionary at the beginning of the main section.

About

Look for un-sinkholed C&C IPs in your Bro logs (from Bambanek Consulting C&C master list)

Topics

infosec threat-hunting bro-ids blueteam

Resources

Readme

License

GPL-3.0 license
Activity

Stars

4 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages