ABCDEFGHIJKLMNOPQRSTUVWXYZAAABAC
1
Follow the Corelight blog for updates: https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/
2
3
ConfidenceSourceLogFieldsSplunk QueryZeek-Cut QueryRelevant indicator from source
4
HighFireEye Snort Ruleshttpuri, hostpath="http" uri="/swip/Events" | spath host | where host!="*.solarwinds.com"zgrep "/swip/Events" *http* | grep -v solarwinds.comalert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/Events HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600832; rev:1;)
5
HighFireEye Snort Ruleshttpuri, host
path="http" uri="/swip/upd/SolarWinds.CortexPlugin.Components.xml*" | spath host | where host!="*.solarwinds.com"
zgrep "/swip/upd/SolarWinds.CortexPlugin.Components.xml" *http* | grep -v solarwinds.com
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600833; rev:1;)
6
MediumFireEye HXIOChttpuri, hostpath="http" uri="/swip/SystemDescription" | spath host | where host!="*.solarwinds.com"zgrep "/swip/SystemDescription" *http* | grep -v solarwinds.com<Content type="string">/swip/SystemDescription</Content>
7
MediumFireEye Hashesfilesmd5path="files" md5=02af7cec58b9a5da1c542b5a32151ba1zgrep 02af7cec58b9a5da1c542b5a32151ba1 *files*CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
8
MediumFireEye Hashesfilesmd5path="files" md5=08e35543d6110ed11fdf558bb093d401 zgrep 08e35543d6110ed11fdf558bb093d401 *files*(compromised code signing ceritificate)
9
HighFireEye Hashesfilesmd5path="files" md5=2c4a910a1299cdae2a4e55988a2f102ezgrep 2c4a910a1299cdae2a4e55988a2f102e *files*SolarWinds.Orion.Core.BusinessLayer.dll (backdoor)
10
HighFireEye Hashesfilesmd5path="files" md5=846e27a652a5e1bfbd0ddd38a16dc865zgrep 846e27a652a5e1bfbd0ddd38a16dc865 *files*SolarWinds.Orion.Core.BusinessLayer.dll (backdoor)
11
HighFireEye Hashesfilesmd5path="files" md5=b91ce2fa41029f6955bff20079468448zgrep b91ce2fa41029f6955bff20079468448 *files*SolarWinds.Orion.Core.BusinessLayer.dll (backdoor)
12
HighFireEye Hashesfilesmd5path="files" md5=4f2eb62fa529c0283b28d05ddd311faezgrep 4f2eb62fa529c0283b28d05ddd311fae *files*OrionImprovementBusinessLayer.2.cs (Decompiled and corrected source code for SUNBURST)
13
HighFireEye Hashesfilesmd5path="files" md5=56ceb6d0011d87b6e4d7023d7ef85676 zgrep 56ceb6d0011d87b6e4d7023d7ef85676 *files*app_web_logoimagehandler.ashx.b6031896.dll (Webshell)
14
HighFireEye Snort Ruleshttpuri, hostpath="http" uri="*swip/Upload.ashx" | spath host | where host!="*.solarwinds.com"zgrep "swip/Upload.ashx" *http* | grep -v solarwinds.comalert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"swip/Upload.ashx HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600843; rev:1;)
15
HighFireEye Snort Ruleshttpuri, hostpath="http" uri="/swip/upd/*" | spath host | where host!="*.solarwinds.com"zgrep "/swip/upd/" *http* | grep -v solarwinds.comalert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/"; within:75; content:" HTTP/1."; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600844; rev:1;)
16
HighFireEye Snort Rulesdnsquerypath="dns" query="avsvmcloud.com" OR query="*.avsvmcloud.com"zgrep "avsvmcloud.com" *dns*alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; sid:77600845; rev:1;)
17
HighFireEye Snort Rulesdnsquerypath="dns" query="digitalcollege.org" OR query="*.digitalcollege.org"zgrep "digitalcollege.org" *dns*alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; sid:77600846; rev:1;)
18
HighFireEye Snort Rulesdnsquerypath="dns" query="freescanonline.com" OR query="*.freescanonline.com"zgrep "freescanonline.com" *dns*alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; sid:77600847; rev:1;)
19
HighFireEye Snort Rulesdnsquerypath="dns" query="deftsecurity.com" OR query="*.deftsecurity.com"zgrep "deftsecurity.com" *dns*alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"deftsecurity.com"; within:50; sid:77600848; rev:1;)
20
HighFireEye Snort Rulesdnsquerypath="dns" query="thedoccloud.com" OR query="*.thedoccloud.com"zgrep "thedoccloud.com" *dns*alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"thedoccloud.com"; within:50; sid:77600849; rev:1;)
21
HighFireEye Snort Rulesdnsquerypath="dns" query="virtualdataserver.com" OR query="*.virtualdataserver.com"zgrep "virtualdataserver.com" *dns*alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"virtualdataserver.com"; within:50; sid:77600850; rev:1;)
22
Highdnsquerypath="dns" query="incomeupdate.com" OR query="*.incomeupdate.com"zgrep "incomeupdate.com" *dns*(added, based on certificate IOCs specified below)
23
Highdnsquerypath="dns" query="zupertech.com" OR query="*.zupertech.com"zgrep "zupertech.com" *dns*(added, based on certificate IOCs specified below)
24
Highdnsquerypath="dns" query="databasegalore.com" OR query="*.databasegalore.com"zgrep "databasegalore.com" *dns*(added, based on certificate IOCs specified below)
25
Highdnsquerypath="dns" query="panhardware.com" OR query="*.panhardware.com"zgrep "panhardware.com" *dns*(added, based on certificate IOCs specified below)
26
MediumFireEye NBIsdnsquerypath="dns" query="highdatabase.com" OR query="*.highdatabase.com"zgrep "highdatabase.com" *dns*highdatabase.com
27
MediumFireEye NBIsdnsquerypath="dns" query="websitetheme.com" OR query="*.websitetheme.com"zgrep "websitetheme.com" *dns*websitetheme.com
28
HighFireEye Snort Ruleshttphostpath="http" | spath host | where host="avsvmcloud.com" OR host="*.avsvmcloud.com"zgrep "avsvmcloud.com" *http*alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:".avsvmcloud.com"; distance:0; sid:77600842; rev:1;)
29
HighFireEye Snort Ruleshttphostpath="http" | spath host | where host="digitalcollege.org" OR host="*.digitalcollege.org"zgrep "digitalcollege.org" *http*alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"digitalcollege.org"; within:100; sid:77600851; rev:1;)
30
HighFireEye Snort Ruleshttphostpath="http" | spath host | where host="freescanonline.com" OR host="*.freescanonline.com"zgrep "freescanonline.com" *http*alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; sid:77600852; rev:1;)
31
HighFireEye Snort Ruleshttphostpath="http" | spath host | where host="deftsecurity.com" OR host="*.deftsecurity.com"zgrep "deftsecurity.com" *http*alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;)
32
HighFireEye Snort Ruleshttphostpath="http" | spath host | where host="thedoccloud.com" OR host="*.thedoccloud.com"zgrep "thedoccloud.com" *http*alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; sid:77600854; rev:1;)
33
HighFireEye Snort Ruleshttphostpath="http" | spath host | where host="virtualdataserver.com" OR host="*.virtualdataserver.com"zgrep "virtualdataserver.com" *http*alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; sid:77600855; rev:1;)
34
Highhttphostpath="http" | spath host | where host="incomeupdate.com" OR host="*.incomeupdate.com"zgrep "incomeupdate.com" *http*(added, based on certificate IOCs specified below)
35
Highhttphostpath="http" | spath host | where host="zupertech.com" OR host="*.zupertech.com"zgrep "zupertech.com" *http*(added, based on certificate IOCs specified below)
36
Highhttphostpath="http" | spath host | where host="databasegalore.com" OR host="*.databasegalore.com"zgrep "databasegalore.com" *http*(added, based on certificate IOCs specified below)
37
Highhttphostpath="http" | spath host | where host="panhardware.com" OR host="*.panhardware.com"zgrep "panhardware.com" *http*(added, based on certificate IOCs specified below)
38
HighPalo Altohttpuripath="http" uri="/logoimagehandler.ashx*" uri="*clazz=*" uri="*method=*" uri="*args=*" uri="*codes=*"
zgrep "logoimagehandler.ashx" *http* | grep "clazz" | grep "method" | grep "args" | grep "codes"
logoimagehandler.ashx with parameters of "clazz", "method", "args", and "codes"
39
MediumFireEye NBIsdnsquerypath="http" | spath host | where host="highdatabase.com" OR host="*.highdatabase.com"zgrep "highdatabase.com" *http*highdatabase.com
40
MediumFireEye NBIsdnsquerypath="http" | spath host | where host="websitetheme.com" OR host="*.websitetheme.com"zgrep "websitetheme.com" *http*websitetheme.com
41
HighFireEye Snort Rulesx509certificate.subjectpath="x509" "certificate.subject"="CN=*incomeupdate.com*"zgrep "incomeupdate.com" *x509*alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"incomeupdate.com"; sid:77600840; rev:1;)
42
HighFireEye Snort Rulesx509certificate.subjectpath="x509" "certificate.subject"="CN=*zupertech.com*"zgrep "zupertech.com" *x509*alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"zupertech.com"; sid:77600863; rev:1;)
43
HighFireEye Snort Rulesx509certificate.subjectpath="x509" "certificate.subject"="CN=*databasegalore.com*"zgrep "databasegalore.com" *x509*alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"databasegalore.com"; sid:77600864; rev:1;)
44
HighFireEye Snort Rulesx509certificate.subjectpath="x509" "certificate.subject"="CN=*panhardware.com*"zgrep "panhardware.com" *x509*alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"panhardware.com"; sid:77600865; rev:1;)
45
HighFireEye Snort Ruleshttp
method, post_body
path="http" method=POST post_body="name=\"*\";filename=\"*\"Content-Type:*"zgrep 'filename=' *http* | grep POSTalert tcp $HOME_NET any -> any any (msg:"Backdoor.BEACON"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|name=\""; content:"\"\;filename=\""; content:"\"|0a|Content-Type:"; sid:77600837; rev:1;)
46
HighFireEye Snort RulesUnable to detect with default Zeek data

Use Suricata rules instead (eg. on a Corelight appliance) ---->
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; sid:77600856; rev:1;)
47
HighFireEye Snort Rulesalert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; sid:77600857; rev:1;)
48
HighFireEye Snort Rulesalert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Companies-Best-Man-Vendors-Best</p>"; sid:77600858; rev:1;)
49
HighFireEye Snort Rulesalert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<meta name=\"msvalidate.01\" content=\"ECEE9516DDABFC7CCBBF1EACC04CAC20\">"; content:"<meta name=\"google-site-verification\" content=\"CD5EF1FCB54FE29C838ABCBBE0FA57AE\">"; sid:77600859; rev:1;)
50
HighFireEye Snort Rulesalert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Million-Support-Years-Week-Agents</p>"; sid:77600860; rev:1;)
51
HighSymantecdnsquerypath="dns" query="infinitysoftwares.com" OR query="*.infinitysoftwares.com"zgrep "infinitysoftwares.com" *dns*infinitysoftwares.com
52
HighSymantecdnsquerypath="dns" query="bigtopweb.com" OR query="*.bigtopweb.com"zgrep "bigtopweb.com" *dns*bigtopweb.com
53
HighSymantecx509certificate.subjectpath="x509" "certificate.subject"="CN=*infinitysoftwares.com*"zgrep "infinitysoftwares.com" *x509*
54
HighSymantecx509certificate.subjectpath="x509" "certificate.subject"="CN=*bigtopweb.com*"zgrep "bigtopweb.com" *x509*
55
MediumVolexitydnsquerypath="dns" query="*lcomputers.com"zgrep "lcomputers.com" *dns*lcomputers.com
56
MediumVolexitydnsquerypath="dns" query="*webcodez.com"zgrep "webcodez.com" *dns*webcodez.com
57
MediumVolexitydnsquerypath="dns" query="*freescanonline.com"zgrep "freescanonline.com" *dns*freescanonline.com
58
MediumVolexitydnsquerypath="dns" query="*globalnetworkissues.com"zgrep "globalnetworkissues.com" *dns*globalnetworkissues.com
59
MediumVolexitydnsquerypath="dns" query="*kubecloud.com"zgrep "kubecloud.com" *dns*kubecloud.com
60
MediumVolexitydnsquerypath="dns" query="*seobundlekit.com"zgrep "seobundlekit.com" *dns*seobundlekit.com
61
MediumVolexityhttphostpath="http" | spath host | where host="*lcomputers.com"zgrep "lcomputers.com" *http*lcomputers.com
62
MediumVolexityhttphostpath="http" | spath host | where host="*webcodez.com"zgrep "webcodez.com" *http*webcodez.com
63
MediumVolexityhttphostpath="http" | spath host | where host="*freescanonline.com"zgrep "freescanonline.com" *http*freescanonline.com
64
MediumVolexityhttphostpath="http" | spath host | where host="*globalnetworkissues.com"zgrep "globalnetworkissues.com" *http*globalnetworkissues.com
65
MediumVolexityhttphostpath="http" | spath host | where host="*kubecloud.com"zgrep "kubecloud.com" *http*kubecloud.com
66
MediumVolexityhttphostpath="http" | spath host | where host="*seobundlekit.com"zgrep "seobundlekit.com" *http*seobundlekit.com
67
MediumSANSx509certificate.serialpath="x509" "certificate.serial"=0fe973752022a606adf2a36e345dc0edzgrep 0fe973752022a606adf2a36e345dc0ed *x509*0fe973752022a606adf2a36e345dc0ed
68
Medium@KyleHanslovanfilessha256path="files" sha256=d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
zgrep d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 *files*
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
69
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::12cd:14bb:2dadzgrep 2a0d:5600:9::12cd:14bb:2dad *conn*2a0d:5600:9::12cd:14bb:2dad
70
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::190c:a362:ebcezgrep 2a0d:5600:9::190c:a362:ebce *conn*2a0d:5600:9::190c:a362:ebce
71
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::2149:2eba:c4ezgrep 2a0d:5600:9::2149:2eba:c4e *conn*2a0d:5600:9::2149:2eba:c4e
72
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::2161:775b:ce56zgrep 2a0d:5600:9::2161:775b:ce56 *conn*2a0d:5600:9::2161:775b:ce56
73
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::235a:9040:5f2ezgrep 2a0d:5600:9::235a:9040:5f2e *conn*2a0d:5600:9::235a:9040:5f2e
74
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::291:a34c:b767zgrep 2a0d:5600:9::291:a34c:b767 *conn*2a0d:5600:9::291:a34c:b767
75
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::2cc3:398f:9b0bzgrep 2a0d:5600:9::2cc3:398f:9b0b *conn*2a0d:5600:9::2cc3:398f:9b0b
76
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::35ba:69fe:599czgrep 2a0d:5600:9::35ba:69fe:599c *conn*2a0d:5600:9::35ba:69fe:599c
77
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::42c4:1aa9:57d4zgrep 2a0d:5600:9::42c4:1aa9:57d4 *conn*2a0d:5600:9::42c4:1aa9:57d4
78
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::47eb:a03e:4df8zgrep 2a0d:5600:9::47eb:a03e:4df8 *conn*2a0d:5600:9::47eb:a03e:4df8
79
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::49e6:cc16:28a7zgrep 2a0d:5600:9::49e6:cc16:28a7 *conn*2a0d:5600:9::49e6:cc16:28a7
80
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5020:4c8e:d671zgrep 2a0d:5600:9::5020:4c8e:d671 *conn*2a0d:5600:9::5020:4c8e:d671
81
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::50b3:7375:7156zgrep 2a0d:5600:9::50b3:7375:7156 *conn*2a0d:5600:9::50b3:7375:7156
82
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5555:be8c:fbf1zgrep 2a0d:5600:9::5555:be8c:fbf1 *conn*2a0d:5600:9::5555:be8c:fbf1
83
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5861:cf7d:8180zgrep 2a0d:5600:9::5861:cf7d:8180 *conn*2a0d:5600:9::5861:cf7d:8180
84
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5883:7989:9946zgrep 2a0d:5600:9::5883:7989:9946 *conn*2a0d:5600:9::5883:7989:9946
85
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::599a:9ddc:c95zgrep 2a0d:5600:9::599a:9ddc:c95 *conn*2a0d:5600:9::599a:9ddc:c95
86
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5e19:a693:6e8dzgrep 2a0d:5600:9::5e19:a693:6e8d *conn*2a0d:5600:9::5e19:a693:6e8d
87
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5fe:196f:54cczgrep 2a0d:5600:9::5fe:196f:54cc *conn*2a0d:5600:9::5fe:196f:54cc
88
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::6c57:d06c:7729zgrep 2a0d:5600:9::6c57:d06c:7729 *conn*2a0d:5600:9::6c57:d06c:7729
89
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::6f48:975d:85dbzgrep 2a0d:5600:9::6f48:975d:85db *conn*2a0d:5600:9::6f48:975d:85db
90
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::7873:ec2:69e7zgrep 2a0d:5600:9::7873:ec2:69e7 *conn*2a0d:5600:9::7873:ec2:69e7
91
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::7ca3:171c:8e43zgrep 2a0d:5600:9::7ca3:171c:8e43 *conn*2a0d:5600:9::7ca3:171c:8e43
92
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::8cda:9b39:e905zgrep 2a0d:5600:9::8cda:9b39:e905 *conn*2a0d:5600:9::8cda:9b39:e905
93
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::960e:8af8:109azgrep 2a0d:5600:9::960e:8af8:109a *conn*2a0d:5600:9::960e:8af8:109a
94
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::9691:2801:4c8fzgrep 2a0d:5600:9::9691:2801:4c8f *conn*2a0d:5600:9::9691:2801:4c8f
95
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::99f7:1633:ce5bzgrep 2a0d:5600:9::99f7:1633:ce5b *conn*2a0d:5600:9::99f7:1633:ce5b
96
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::9b33:abd4:96f7zgrep 2a0d:5600:9::9b33:abd4:96f7 *conn*2a0d:5600:9::9b33:abd4:96f7
97
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::9db7:1f30:8241zgrep 2a0d:5600:9::9db7:1f30:8241 *conn*2a0d:5600:9::9db7:1f30:8241
98
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::a582:2011:e14zgrep 2a0d:5600:9::a582:2011:e14 *conn*2a0d:5600:9::a582:2011:e14
99
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::a962:d69f:9628zgrep 2a0d:5600:9::a962:d69f:9628 *conn*2a0d:5600:9::a962:d69f:9628
100
MediumDNS historyconnts, id.resp_hpath="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::bc1f:dbfa:2238zgrep 2a0d:5600:9::bc1f:dbfa:2238 *conn*2a0d:5600:9::bc1f:dbfa:2238