Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TinyCheck seems to not detect DNS queries to stalkerwares servers #51

Closed
leandreSL opened this issue Feb 16, 2021 · 3 comments
Closed

TinyCheck seems to not detect DNS queries to stalkerwares servers #51

leandreSL opened this issue Feb 16, 2021 · 3 comments

Comments

@leandreSL
Copy link

leandreSL commented Feb 16, 2021
edited

Hi,

After tested TinyCheck on a virtual environment (with a little bit of modifications in the code), i decided to test it on the purposed environment : a Raspberry Pi 4 (with a touchscreen).

But after fews tests with a stalkerware (in this test Snoopza) installed on a smartphone, i saw that it didn't detect first DNS query to api.snoopza.com ( it is easily viewable on the capture.pcap with a dns filter).
In every test, i wait at least 5 minutes, and i do some stuff like rebooting, taking photo, surfing, etc. On the Snoopza panel, i get informations on the smartphone, so there is communication between the smartphone and Snoopza's server.

On the virtual environment, I modified the zeekengine.py file to also loop on all dns queries and compare it with IOCs :

for d in self.dns:
                # Check for blacklisted domain.
                for domain in bl_domains:
                    if d["domain"].endswith(domain[0]):
                           .....

I saw that this part is adding dns resolution to the analysis engine, but i don't understand why it seems to not work in my tests case :

for c in self.conns:
            c["resolution"] = self.resolve(c["ip_dst"])

I wonder if i am doing a thing wrong, or if the analysis needs to loop also on DNS queries ?

Thanks for the work on this amazing tool,
Léandre
@leandreSL leandreSL changed the title TinyCheck doesn't detect DNS queries to stalkerwares servers TinyCheck seems to not detect DNS queries to stalkerwares servers Feb 16, 2021
@felixaime
Copy link
Contributor

Hello Léandre,

Nice catch I have the same issue there, it put the domain api.snoopza.com in whitelisted coms in the report, even if that domain, nor its CIDR is whitelisted. I'm gonna trace all the thing and see where is the bug and come back to you this afternoon!

Félix.

@felixaime
Copy link
Contributor

Re Léandre,

Ok, its not related to the engine but a typo, the whitelisted CIDR : 199.36.154.0/2 -_-. Sure that if we whitelist all the internet, and not the CIDR 199.36.154.0/23 it will not work. I'm gonna update the whitelist.json and also the update script to remove the entry. You can remove it by yourself by going to the backend, whitelist, search element and typing 199.36.154.0/2, after that, delete bouton.

Have a good day,
Félix.

felixaime added a commit that referenced this issue Feb 16, 2021
@felixaime
Update related to the issue #51
113c753
@leandreSL
Copy link
Author

Thank you for the quick reply,

It fixed everything, thank you !

I think i can close this issue.

Have a nice day too,
Léandre.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@felixaime @leandreSL