This, primarily will benefit TLS connections to mailservers (as most HTTPS clients use SNI).
Currently, for a connection to a mail server, we might have the following in
webtraffic.csv
1447859681.050708000 192.168.3.64 65.55.122.74 39540 993 "" "" ...snip...
We can see, at a glance, that it's probably IMAP over SSL, but still don't have much information on what mailserver is being connected to. We know the IP, so can go off and look it up, but that's potentially a lot of work for a big capture
PAS-13 will be generating a DNS equivalent of webtraffic.csv, so once that information is available, it'd be helpful if we could look for queries (around the time of the connection above) which resulted in that address being returned.
Assuming we find something, the FQDN column can be updated to show who the user probably thought they were connecting to.
We should probably add an additional column to webtraffic.csv though, to indicate where the FQDN was obtained from:
- Host Header
- SNI
- DNS traffic search
Especially for mail traffic, the last if perhaps less accurate where a mailserver handles multiple domains. You could feasibly, perform a lookup for "mail.innocentdomain.com" and then tell your script to talk to that mailserver as if it was "mail.farlessinnocentdomain.com"
Activity