c2finder

Mandatory disclaimer: I am not a master coder by any means, so this is a very simple script. Do not rely on this to be perfect. I am open to feedback or ideas for improvements, though :)

Description

This script downloads the master C&C list from Bambanek Consulting (http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt), parses it, and searches through Bro logs for occurences of the C&C IPs. It saves the Bro entries that contained the C&C IPs to separate files for each IP and saves it's own output to a log file named in the format c2finder_[date].log.

Usage Examples

./c2finder.py bro/logs/current/dns
./c2finder.py bro/logs/current/http
./c2finder.py bro/logs/current/files

Modifying bro-cut fields

The script is preconfigured with some basic bro-cut selections. If you would like to search in different fields or get other fields in your logs, it's as easy as modifying the commands in the BROCUT dictionary at the beginning of the main section.

About

Look for un-sinkholed C&C IPs in your Bro logs (from Bambanek Consulting C&C master list)

bro-ids infosec blueteam threat-hunting

GNU General Public License v3.0

Languages

Language:Python 93.4%Language:Shell 6.6%