<div dir="ltr"><div><div>Firstly, props to the dshell team for making that decoder and releasing it.<br><br>Secondly, you shouldn't need a decoder to catch an implant using this type of channel. It's pretty high signal.<br><br></div>Thx,<br></div>Jason<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 3, 2015 at 11:06 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
The US Army recently released <a href="http://gizmodo.com/the-army-just-open-sourced-its-security-software-1683023527" target="_blank">DShell</a>,
which they've been using to do network incident response, as open
source. Part of it is a <a href="https://github.com/USArmyResearchLab/Dshell/blob/master/decoders/dns/innuendo-dns.py" target="_blank">DNS
decoder</a> that tries to find INNUENDO traffic. Although they
developed it only by looking at our <a href="https://vimeo.com/115206626" target="_blank">demonstration video</a> (note:
email <a href="mailto:admin@immunityinc.com" target="_blank">admin@immunityinc.com</a> for an eval copy of INNUENDO!) we can
confirm their script works (see below).<br>
<br>
It may, or may not, work against the <b>next</b> version of
INNUENDO. ;><br>
<br>
Thanks,<br>
Dave Aitel<br>
Immunity, Inc.<br>
<br>
<img alt="Dshell image" src="cid:part4.00070701.04050309@immunityinc.com" width="1680" height="533"><br>
</div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>