| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Follow the Corelight blog for updates: https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/ | ||||||||||||||||||||||||||||
2 | |||||||||||||||||||||||||||||
3 | Confidence | Source | Log | Fields | Splunk Query | Zeek-Cut Query | Relevant indicator from source | ||||||||||||||||||||||
4 | High | FireEye Snort Rules | http | uri, host | path="http" uri="/swip/Events" | spath host | where host!="*.solarwinds.com" | zgrep "/swip/Events" *http* | grep -v solarwinds.com | alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/Events HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600832; rev:1;) | ||||||||||||||||||||||
5 | High | FireEye Snort Rules | http | uri, host | path="http" uri="/swip/upd/SolarWinds.CortexPlugin.Components.xml*" | spath host | where host!="*.solarwinds.com" | zgrep "/swip/upd/SolarWinds.CortexPlugin.Components.xml" *http* | grep -v solarwinds.com | alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600833; rev:1;) | ||||||||||||||||||||||
6 | Medium | FireEye HXIOC | http | uri, host | path="http" uri="/swip/SystemDescription" | spath host | where host!="*.solarwinds.com" | zgrep "/swip/SystemDescription" *http* | grep -v solarwinds.com | <Content type="string">/swip/SystemDescription</Content> | ||||||||||||||||||||||
7 | Medium | FireEye Hashes | files | md5 | path="files" md5=02af7cec58b9a5da1c542b5a32151ba1 | zgrep 02af7cec58b9a5da1c542b5a32151ba1 *files* | CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp | ||||||||||||||||||||||
8 | Medium | FireEye Hashes | files | md5 | path="files" md5=08e35543d6110ed11fdf558bb093d401 | zgrep 08e35543d6110ed11fdf558bb093d401 *files* | (compromised code signing ceritificate) | ||||||||||||||||||||||
9 | High | FireEye Hashes | files | md5 | path="files" md5=2c4a910a1299cdae2a4e55988a2f102e | zgrep 2c4a910a1299cdae2a4e55988a2f102e *files* | SolarWinds.Orion.Core.BusinessLayer.dll (backdoor) | ||||||||||||||||||||||
10 | High | FireEye Hashes | files | md5 | path="files" md5=846e27a652a5e1bfbd0ddd38a16dc865 | zgrep 846e27a652a5e1bfbd0ddd38a16dc865 *files* | SolarWinds.Orion.Core.BusinessLayer.dll (backdoor) | ||||||||||||||||||||||
11 | High | FireEye Hashes | files | md5 | path="files" md5=b91ce2fa41029f6955bff20079468448 | zgrep b91ce2fa41029f6955bff20079468448 *files* | SolarWinds.Orion.Core.BusinessLayer.dll (backdoor) | ||||||||||||||||||||||
12 | High | FireEye Hashes | files | md5 | path="files" md5=4f2eb62fa529c0283b28d05ddd311fae | zgrep 4f2eb62fa529c0283b28d05ddd311fae *files* | OrionImprovementBusinessLayer.2.cs (Decompiled and corrected source code for SUNBURST) | ||||||||||||||||||||||
13 | High | FireEye Hashes | files | md5 | path="files" md5=56ceb6d0011d87b6e4d7023d7ef85676 | zgrep 56ceb6d0011d87b6e4d7023d7ef85676 *files* | app_web_logoimagehandler.ashx.b6031896.dll (Webshell) | ||||||||||||||||||||||
14 | High | FireEye Snort Rules | http | uri, host | path="http" uri="*swip/Upload.ashx" | spath host | where host!="*.solarwinds.com" | zgrep "swip/Upload.ashx" *http* | grep -v solarwinds.com | alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"swip/Upload.ashx HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600843; rev:1;) | ||||||||||||||||||||||
15 | High | FireEye Snort Rules | http | uri, host | path="http" uri="/swip/upd/*" | spath host | where host!="*.solarwinds.com" | zgrep "/swip/upd/" *http* | grep -v solarwinds.com | alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/"; within:75; content:" HTTP/1."; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600844; rev:1;) | ||||||||||||||||||||||
16 | High | FireEye Snort Rules | dns | query | path="dns" query="avsvmcloud.com" OR query="*.avsvmcloud.com" | zgrep "avsvmcloud.com" *dns* | alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; sid:77600845; rev:1;) | ||||||||||||||||||||||
17 | High | FireEye Snort Rules | dns | query | path="dns" query="digitalcollege.org" OR query="*.digitalcollege.org" | zgrep "digitalcollege.org" *dns* | alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; sid:77600846; rev:1;) | ||||||||||||||||||||||
18 | High | FireEye Snort Rules | dns | query | path="dns" query="freescanonline.com" OR query="*.freescanonline.com" | zgrep "freescanonline.com" *dns* | alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; sid:77600847; rev:1;) | ||||||||||||||||||||||
19 | High | FireEye Snort Rules | dns | query | path="dns" query="deftsecurity.com" OR query="*.deftsecurity.com" | zgrep "deftsecurity.com" *dns* | alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"deftsecurity.com"; within:50; sid:77600848; rev:1;) | ||||||||||||||||||||||
20 | High | FireEye Snort Rules | dns | query | path="dns" query="thedoccloud.com" OR query="*.thedoccloud.com" | zgrep "thedoccloud.com" *dns* | alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"thedoccloud.com"; within:50; sid:77600849; rev:1;) | ||||||||||||||||||||||
21 | High | FireEye Snort Rules | dns | query | path="dns" query="virtualdataserver.com" OR query="*.virtualdataserver.com" | zgrep "virtualdataserver.com" *dns* | alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"virtualdataserver.com"; within:50; sid:77600850; rev:1;) | ||||||||||||||||||||||
22 | High | dns | query | path="dns" query="incomeupdate.com" OR query="*.incomeupdate.com" | zgrep "incomeupdate.com" *dns* | (added, based on certificate IOCs specified below) | |||||||||||||||||||||||
23 | High | dns | query | path="dns" query="zupertech.com" OR query="*.zupertech.com" | zgrep "zupertech.com" *dns* | (added, based on certificate IOCs specified below) | |||||||||||||||||||||||
24 | High | dns | query | path="dns" query="databasegalore.com" OR query="*.databasegalore.com" | zgrep "databasegalore.com" *dns* | (added, based on certificate IOCs specified below) | |||||||||||||||||||||||
25 | High | dns | query | path="dns" query="panhardware.com" OR query="*.panhardware.com" | zgrep "panhardware.com" *dns* | (added, based on certificate IOCs specified below) | |||||||||||||||||||||||
26 | Medium | FireEye NBIs | dns | query | path="dns" query="highdatabase.com" OR query="*.highdatabase.com" | zgrep "highdatabase.com" *dns* | highdatabase.com | ||||||||||||||||||||||
27 | Medium | FireEye NBIs | dns | query | path="dns" query="websitetheme.com" OR query="*.websitetheme.com" | zgrep "websitetheme.com" *dns* | websitetheme.com | ||||||||||||||||||||||
28 | High | FireEye Snort Rules | http | host | path="http" | spath host | where host="avsvmcloud.com" OR host="*.avsvmcloud.com" | zgrep "avsvmcloud.com" *http* | alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:".avsvmcloud.com"; distance:0; sid:77600842; rev:1;) | ||||||||||||||||||||||
29 | High | FireEye Snort Rules | http | host | path="http" | spath host | where host="digitalcollege.org" OR host="*.digitalcollege.org" | zgrep "digitalcollege.org" *http* | alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"digitalcollege.org"; within:100; sid:77600851; rev:1;) | ||||||||||||||||||||||
30 | High | FireEye Snort Rules | http | host | path="http" | spath host | where host="freescanonline.com" OR host="*.freescanonline.com" | zgrep "freescanonline.com" *http* | alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; sid:77600852; rev:1;) | ||||||||||||||||||||||
31 | High | FireEye Snort Rules | http | host | path="http" | spath host | where host="deftsecurity.com" OR host="*.deftsecurity.com" | zgrep "deftsecurity.com" *http* | alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;) | ||||||||||||||||||||||
32 | High | FireEye Snort Rules | http | host | path="http" | spath host | where host="thedoccloud.com" OR host="*.thedoccloud.com" | zgrep "thedoccloud.com" *http* | alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; sid:77600854; rev:1;) | ||||||||||||||||||||||
33 | High | FireEye Snort Rules | http | host | path="http" | spath host | where host="virtualdataserver.com" OR host="*.virtualdataserver.com" | zgrep "virtualdataserver.com" *http* | alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; sid:77600855; rev:1;) | ||||||||||||||||||||||
34 | High | http | host | path="http" | spath host | where host="incomeupdate.com" OR host="*.incomeupdate.com" | zgrep "incomeupdate.com" *http* | (added, based on certificate IOCs specified below) | |||||||||||||||||||||||
35 | High | http | host | path="http" | spath host | where host="zupertech.com" OR host="*.zupertech.com" | zgrep "zupertech.com" *http* | (added, based on certificate IOCs specified below) | |||||||||||||||||||||||
36 | High | http | host | path="http" | spath host | where host="databasegalore.com" OR host="*.databasegalore.com" | zgrep "databasegalore.com" *http* | (added, based on certificate IOCs specified below) | |||||||||||||||||||||||
37 | High | http | host | path="http" | spath host | where host="panhardware.com" OR host="*.panhardware.com" | zgrep "panhardware.com" *http* | (added, based on certificate IOCs specified below) | |||||||||||||||||||||||
38 | High | Palo Alto | http | uri | path="http" uri="/logoimagehandler.ashx*" uri="*clazz=*" uri="*method=*" uri="*args=*" uri="*codes=*" | zgrep "logoimagehandler.ashx" *http* | grep "clazz" | grep "method" | grep "args" | grep "codes" | logoimagehandler.ashx with parameters of "clazz", "method", "args", and "codes" | ||||||||||||||||||||||
39 | Medium | FireEye NBIs | dns | query | path="http" | spath host | where host="highdatabase.com" OR host="*.highdatabase.com" | zgrep "highdatabase.com" *http* | highdatabase.com | ||||||||||||||||||||||
40 | Medium | FireEye NBIs | dns | query | path="http" | spath host | where host="websitetheme.com" OR host="*.websitetheme.com" | zgrep "websitetheme.com" *http* | websitetheme.com | ||||||||||||||||||||||
41 | High | FireEye Snort Rules | x509 | certificate.subject | path="x509" "certificate.subject"="CN=*incomeupdate.com*" | zgrep "incomeupdate.com" *x509* | alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"incomeupdate.com"; sid:77600840; rev:1;) | ||||||||||||||||||||||
42 | High | FireEye Snort Rules | x509 | certificate.subject | path="x509" "certificate.subject"="CN=*zupertech.com*" | zgrep "zupertech.com" *x509* | alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"zupertech.com"; sid:77600863; rev:1;) | ||||||||||||||||||||||
43 | High | FireEye Snort Rules | x509 | certificate.subject | path="x509" "certificate.subject"="CN=*databasegalore.com*" | zgrep "databasegalore.com" *x509* | alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"databasegalore.com"; sid:77600864; rev:1;) | ||||||||||||||||||||||
44 | High | FireEye Snort Rules | x509 | certificate.subject | path="x509" "certificate.subject"="CN=*panhardware.com*" | zgrep "panhardware.com" *x509* | alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"panhardware.com"; sid:77600865; rev:1;) | ||||||||||||||||||||||
45 | High | FireEye Snort Rules | http | method, post_body | path="http" method=POST post_body="name=\"*\";filename=\"*\"Content-Type:*" | zgrep 'filename=' *http* | grep POST | alert tcp $HOME_NET any -> any any (msg:"Backdoor.BEACON"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|name=\""; content:"\"\;filename=\""; content:"\"|0a|Content-Type:"; sid:77600837; rev:1;) | ||||||||||||||||||||||
46 | High | FireEye Snort Rules | Unable to detect with default Zeek data Use Suricata rules instead (eg. on a Corelight appliance) ----> | alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; sid:77600856; rev:1;) | |||||||||||||||||||||||||
47 | High | FireEye Snort Rules | alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; sid:77600857; rev:1;) | ||||||||||||||||||||||||||
48 | High | FireEye Snort Rules | alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Companies-Best-Man-Vendors-Best</p>"; sid:77600858; rev:1;) | ||||||||||||||||||||||||||
49 | High | FireEye Snort Rules | alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<meta name=\"msvalidate.01\" content=\"ECEE9516DDABFC7CCBBF1EACC04CAC20\">"; content:"<meta name=\"google-site-verification\" content=\"CD5EF1FCB54FE29C838ABCBBE0FA57AE\">"; sid:77600859; rev:1;) | ||||||||||||||||||||||||||
50 | High | FireEye Snort Rules | alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Million-Support-Years-Week-Agents</p>"; sid:77600860; rev:1;) | ||||||||||||||||||||||||||
51 | High | Symantec | dns | query | path="dns" query="infinitysoftwares.com" OR query="*.infinitysoftwares.com" | zgrep "infinitysoftwares.com" *dns* | infinitysoftwares.com | ||||||||||||||||||||||
52 | High | Symantec | dns | query | path="dns" query="bigtopweb.com" OR query="*.bigtopweb.com" | zgrep "bigtopweb.com" *dns* | bigtopweb.com | ||||||||||||||||||||||
53 | High | Symantec | x509 | certificate.subject | path="x509" "certificate.subject"="CN=*infinitysoftwares.com*" | zgrep "infinitysoftwares.com" *x509* | |||||||||||||||||||||||
54 | High | Symantec | x509 | certificate.subject | path="x509" "certificate.subject"="CN=*bigtopweb.com*" | zgrep "bigtopweb.com" *x509* | |||||||||||||||||||||||
55 | Medium | Volexity | dns | query | path="dns" query="*lcomputers.com" | zgrep "lcomputers.com" *dns* | lcomputers.com | ||||||||||||||||||||||
56 | Medium | Volexity | dns | query | path="dns" query="*webcodez.com" | zgrep "webcodez.com" *dns* | webcodez.com | ||||||||||||||||||||||
57 | Medium | Volexity | dns | query | path="dns" query="*freescanonline.com" | zgrep "freescanonline.com" *dns* | freescanonline.com | ||||||||||||||||||||||
58 | Medium | Volexity | dns | query | path="dns" query="*globalnetworkissues.com" | zgrep "globalnetworkissues.com" *dns* | globalnetworkissues.com | ||||||||||||||||||||||
59 | Medium | Volexity | dns | query | path="dns" query="*kubecloud.com" | zgrep "kubecloud.com" *dns* | kubecloud.com | ||||||||||||||||||||||
60 | Medium | Volexity | dns | query | path="dns" query="*seobundlekit.com" | zgrep "seobundlekit.com" *dns* | seobundlekit.com | ||||||||||||||||||||||
61 | Medium | Volexity | http | host | path="http" | spath host | where host="*lcomputers.com" | zgrep "lcomputers.com" *http* | lcomputers.com | ||||||||||||||||||||||
62 | Medium | Volexity | http | host | path="http" | spath host | where host="*webcodez.com" | zgrep "webcodez.com" *http* | webcodez.com | ||||||||||||||||||||||
63 | Medium | Volexity | http | host | path="http" | spath host | where host="*freescanonline.com" | zgrep "freescanonline.com" *http* | freescanonline.com | ||||||||||||||||||||||
64 | Medium | Volexity | http | host | path="http" | spath host | where host="*globalnetworkissues.com" | zgrep "globalnetworkissues.com" *http* | globalnetworkissues.com | ||||||||||||||||||||||
65 | Medium | Volexity | http | host | path="http" | spath host | where host="*kubecloud.com" | zgrep "kubecloud.com" *http* | kubecloud.com | ||||||||||||||||||||||
66 | Medium | Volexity | http | host | path="http" | spath host | where host="*seobundlekit.com" | zgrep "seobundlekit.com" *http* | seobundlekit.com | ||||||||||||||||||||||
67 | Medium | SANS | x509 | certificate.serial | path="x509" "certificate.serial"=0fe973752022a606adf2a36e345dc0ed | zgrep 0fe973752022a606adf2a36e345dc0ed *x509* | 0fe973752022a606adf2a36e345dc0ed | ||||||||||||||||||||||
68 | Medium | @KyleHanslovan | files | sha256 | path="files" sha256=d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 | zgrep d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 *files* | d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 | ||||||||||||||||||||||
69 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::12cd:14bb:2dad | zgrep 2a0d:5600:9::12cd:14bb:2dad *conn* | 2a0d:5600:9::12cd:14bb:2dad | ||||||||||||||||||||||
70 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::190c:a362:ebce | zgrep 2a0d:5600:9::190c:a362:ebce *conn* | 2a0d:5600:9::190c:a362:ebce | ||||||||||||||||||||||
71 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::2149:2eba:c4e | zgrep 2a0d:5600:9::2149:2eba:c4e *conn* | 2a0d:5600:9::2149:2eba:c4e | ||||||||||||||||||||||
72 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::2161:775b:ce56 | zgrep 2a0d:5600:9::2161:775b:ce56 *conn* | 2a0d:5600:9::2161:775b:ce56 | ||||||||||||||||||||||
73 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::235a:9040:5f2e | zgrep 2a0d:5600:9::235a:9040:5f2e *conn* | 2a0d:5600:9::235a:9040:5f2e | ||||||||||||||||||||||
74 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::291:a34c:b767 | zgrep 2a0d:5600:9::291:a34c:b767 *conn* | 2a0d:5600:9::291:a34c:b767 | ||||||||||||||||||||||
75 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::2cc3:398f:9b0b | zgrep 2a0d:5600:9::2cc3:398f:9b0b *conn* | 2a0d:5600:9::2cc3:398f:9b0b | ||||||||||||||||||||||
76 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::35ba:69fe:599c | zgrep 2a0d:5600:9::35ba:69fe:599c *conn* | 2a0d:5600:9::35ba:69fe:599c | ||||||||||||||||||||||
77 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::42c4:1aa9:57d4 | zgrep 2a0d:5600:9::42c4:1aa9:57d4 *conn* | 2a0d:5600:9::42c4:1aa9:57d4 | ||||||||||||||||||||||
78 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::47eb:a03e:4df8 | zgrep 2a0d:5600:9::47eb:a03e:4df8 *conn* | 2a0d:5600:9::47eb:a03e:4df8 | ||||||||||||||||||||||
79 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::49e6:cc16:28a7 | zgrep 2a0d:5600:9::49e6:cc16:28a7 *conn* | 2a0d:5600:9::49e6:cc16:28a7 | ||||||||||||||||||||||
80 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5020:4c8e:d671 | zgrep 2a0d:5600:9::5020:4c8e:d671 *conn* | 2a0d:5600:9::5020:4c8e:d671 | ||||||||||||||||||||||
81 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::50b3:7375:7156 | zgrep 2a0d:5600:9::50b3:7375:7156 *conn* | 2a0d:5600:9::50b3:7375:7156 | ||||||||||||||||||||||
82 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5555:be8c:fbf1 | zgrep 2a0d:5600:9::5555:be8c:fbf1 *conn* | 2a0d:5600:9::5555:be8c:fbf1 | ||||||||||||||||||||||
83 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5861:cf7d:8180 | zgrep 2a0d:5600:9::5861:cf7d:8180 *conn* | 2a0d:5600:9::5861:cf7d:8180 | ||||||||||||||||||||||
84 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5883:7989:9946 | zgrep 2a0d:5600:9::5883:7989:9946 *conn* | 2a0d:5600:9::5883:7989:9946 | ||||||||||||||||||||||
85 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::599a:9ddc:c95 | zgrep 2a0d:5600:9::599a:9ddc:c95 *conn* | 2a0d:5600:9::599a:9ddc:c95 | ||||||||||||||||||||||
86 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5e19:a693:6e8d | zgrep 2a0d:5600:9::5e19:a693:6e8d *conn* | 2a0d:5600:9::5e19:a693:6e8d | ||||||||||||||||||||||
87 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::5fe:196f:54cc | zgrep 2a0d:5600:9::5fe:196f:54cc *conn* | 2a0d:5600:9::5fe:196f:54cc | ||||||||||||||||||||||
88 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::6c57:d06c:7729 | zgrep 2a0d:5600:9::6c57:d06c:7729 *conn* | 2a0d:5600:9::6c57:d06c:7729 | ||||||||||||||||||||||
89 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::6f48:975d:85db | zgrep 2a0d:5600:9::6f48:975d:85db *conn* | 2a0d:5600:9::6f48:975d:85db | ||||||||||||||||||||||
90 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::7873:ec2:69e7 | zgrep 2a0d:5600:9::7873:ec2:69e7 *conn* | 2a0d:5600:9::7873:ec2:69e7 | ||||||||||||||||||||||
91 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::7ca3:171c:8e43 | zgrep 2a0d:5600:9::7ca3:171c:8e43 *conn* | 2a0d:5600:9::7ca3:171c:8e43 | ||||||||||||||||||||||
92 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::8cda:9b39:e905 | zgrep 2a0d:5600:9::8cda:9b39:e905 *conn* | 2a0d:5600:9::8cda:9b39:e905 | ||||||||||||||||||||||
93 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::960e:8af8:109a | zgrep 2a0d:5600:9::960e:8af8:109a *conn* | 2a0d:5600:9::960e:8af8:109a | ||||||||||||||||||||||
94 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::9691:2801:4c8f | zgrep 2a0d:5600:9::9691:2801:4c8f *conn* | 2a0d:5600:9::9691:2801:4c8f | ||||||||||||||||||||||
95 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::99f7:1633:ce5b | zgrep 2a0d:5600:9::99f7:1633:ce5b *conn* | 2a0d:5600:9::99f7:1633:ce5b | ||||||||||||||||||||||
96 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::9b33:abd4:96f7 | zgrep 2a0d:5600:9::9b33:abd4:96f7 *conn* | 2a0d:5600:9::9b33:abd4:96f7 | ||||||||||||||||||||||
97 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::9db7:1f30:8241 | zgrep 2a0d:5600:9::9db7:1f30:8241 *conn* | 2a0d:5600:9::9db7:1f30:8241 | ||||||||||||||||||||||
98 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::a582:2011:e14 | zgrep 2a0d:5600:9::a582:2011:e14 *conn* | 2a0d:5600:9::a582:2011:e14 | ||||||||||||||||||||||
99 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::a962:d69f:9628 | zgrep 2a0d:5600:9::a962:d69f:9628 *conn* | 2a0d:5600:9::a962:d69f:9628 | ||||||||||||||||||||||
100 | Medium | DNS history | conn | ts, id.resp_h | path="conn" ts>2020-01-01 ts<2020-12-31 "id.resp_h"=2a0d:5600:9::bc1f:dbfa:2238 | zgrep 2a0d:5600:9::bc1f:dbfa:2238 *conn* | 2a0d:5600:9::bc1f:dbfa:2238 | ||||||||||||||||||||||