Why would Data Smuggler list an internal IP address as the destination?

If Data Smuggler is showing the destination IP (target) of the detection as an internal IP address it is possible that the given IP address is that of a proxy server.  For the purposes of the Data Smuggler, detection proxy servers are considered "external" as they are gateways to devices external to the network.

This may occur during normal operation when the algorithm is able to identify smuggler-like behaviors but is unable to determine the final destination of the traffic.

If the detection contains a packet capture (see the related article How are PCAPs created?) this packet capture may give the Analyst further information to assist in their investigation.

Further information should also be available in the proxy logs, showing the client connection and the final destination, the data transferred, and other associated information.

Was this article helpful?
0 out of 0 found this helpful

Download PDF


Article is closed for comments.