[Bro] Blacklist DNS alerting

Bob Rotsted rrotsted at pdx.edu
Wed Mar 21 09:34:49 PDT 2012

Hello all,

I recently spun up my first Bro instance and I'm trying to find the most
elegant way to alert any time there is a query for a particular set of
malicious domains (ex.
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist) .

Would this be best accomplished with a signature? Would I be better off
writing a hook for Bro's core DNS script?

Any input will be greatly appreciated,


Bob Rotsted

Network Security Analyst
Portland State University
Desk: 503-725-6215
Cell: 503-208-6575
314B D581 A8CD E28A A690 7E9D 5B43 4B28 0EB6 A21A

More information about the Bro mailing list