20. Hosts
The Hosts
module evaluates the entries in the local hosts file.
20.1. References
20.2. Samples
Aug 26 11:46:14 server555.local.net/10.7.1.14
THOR: Warning: MODULE: Hosts
MESSAGE: New hosts entry - not found during the last run
ENTRY: master.comp-a.net
IP: 10.7.10.2
SCORE: 75
Jul 29 12:16:18 server99.local.net/10.1.1.55
THOR: Warning: MODULE: Hosts
MESSAGE: Suspicious entry found in Hosts file
ENTRY: ctldl.windowsupdate.com
IP: 127.0.0.1
SCORE: 75
20.3. Typical False Positives
Entries on development systems to simulate future DNS resolution (e.g.
www.company-intranet.net 10.0.2.28
)Some Antivirus tools insert entries into the hosts file to immunize the system (e.g.
Spybot Search & Destroy
)
20.4. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
MESSAGE |
Does a new host file entry look legitimate? |
Yes |
Good |
Medium |
ENTRY |
Does the FQDN related to a server of a security software like an update server of an Antivirus server? (e.g. |
Yes |
Bad |
Medium |
IP |
Is the IP address not in a local network? ( |
No |
Bad |
Medium |