Things I Do to Investigate Beacons

2022-09-30
3 min read

I’m coming to you today because I published a new tool.

I recently set up Corelight@Home to test it out, and have Rita installed alongside it. It’s a pretty cool combo and took very little time to set up. But I found myself spending a lot of time looking up the results that showed up in Rita, and I figured I could automate some of that process. The result is UnknownBeacons. It’s pretty straightforward if you read through the script, but I’ll walk you through it here as well.

First, this script works in conjunction with a file I call unknown-beacons.txt. If you want it to be called something different you’d need to change that in the script, but that’s some of the context for the script. When you run the script with unknown_beacons.sh [IP] it runs through that file and checks to see if there’s already and entry; if it does, it will show that entry and the comments that are tied to it. If it doesn’t then it kicks you to the next step. It performs a whois -h whois.cymru.com search on the IP; I picked that one because it’s really consice and doens’t have a ton of data that the standard whois search contains. You are then presented with the option to add a comment on a single line, or just add the whois results.

The reason I created this was because I found myself running the same whois search to see the results, then running it again to dump it into the file (who needs tail -f??) and then starting to look up what that IP is in relation to my home network and manually going into the file to add comments. Now I can just do all that at once and save a few keystrokes.

In the README you can see things that I’m going to work on going forward, and that’s incorporating Alien Vault and VirusTotal APIs to help enrich the notes, and for the comments allowing for there to be multiple lines added instead of just one and then going back and adding comments after the initial script has ran. Other than that, I also want to re-write it in golang for the practice, but that’ll probably be once I’m happy with how the bash version is going.

Part of why I wrote this is because I can always use the practice, but also because I wanted to provide myself a foundation to work with APIs and incorporating them into scripts. This isn’t going to change the world, but imagine what I can accomplish with all those seconds I save…

Previous eJPT Review
Next I'm Not Using VMWare Anymore...