[Bro] Detecting software components that do strange dns queries
tritium.cat at gmail.com
Fri Mar 22 18:53:03 PDT 2013
Yes, thanks for the example and detail.
CFA was the first thing that crossed my mind so I googled for it and found
the Arxiv paper; it sounds promising to me but I can see your point about
While searching for supporting information I found old Google and Github
projects with some code inspired by the paper. It appears someone forked
the original project but abandoned it after updating the README file. :/
On Fri, Mar 22, 2013 at 8:06 AM, C. L. Martinez <carlopmart at gmail.com>wrote:
> On Fri, Mar 22, 2013 at 2:06 PM, Vlad Grigorescu <vladg at cmu.edu> wrote:
> > You can do character frequency analysis with a simple Bro script. Look
> at <http://www.bro.org/documentation-git/scripts/base/strings.bif.html>
> to see the functions you can use for strings.
> > I think that this is asking the wrong question, however. I'd be amazed
> if you could reliably determine "good" domains from "bad" domains based
> simply on character frequency analysis. Bro can calculate entropy for you: <
> That being said, I don't think entropy is the right answer either.
> > Here are the entropy results (in no particular order) for the 4 domains
> you listed and for 4 very common domains (google.com, twitter.com,
> fbcdn.net and amazon.co.uk):
> > [entropy=2.646439, chi_square=450.8, mean=100.2, monte_carlo_pi=4.0,
> > [entropy=3.085055, chi_square=400.538462, mean=104.692308,
> monte_carlo_pi=4.0, serial_correlation=-0.005991]
> > [entropy=3.095795, chi_square=338.090909, mean=106.727273,
> monte_carlo_pi=4.0, serial_correlation=0.062381]
> > [entropy=3.027169, chi_square=384.636364, mean=104.727273,
> monte_carlo_pi=4.0, serial_correlation=0.011643]
> > [entropy=3.182006, chi_square=424.857143, mean=105.5,
> monte_carlo_pi=4.0, serial_correlation=-0.050923]
> > [entropy=2.947703, chi_square=303.888889, mean=98.0, monte_carlo_pi=4.0,
> > [entropy=3.084963, chi_square=372.0, mean=97.666667, monte_carlo_pi=4.0,
> > [entropy=2.845351, chi_square=431.181818, mean=102.818182,
> monte_carlo_pi=4.0, serial_correlation=-0.322755]
> > I don't know about you, but I can't tell which are good and which are
> bad. I suspect that DNS names are too short of a sample to provide any
> meaningful data.
> > I think you should focus instead on the behavior that you're trying to
> detect. Looking at your example below, some alerts that'd be more useful
> might be:
> > - Too many NXDOMAIN queries.
> > - A query that resolves to an ISC sinkhole.
> > - Queries for a domain that no one else queried.
> > - Repetitive queries every X seconds with little to no deviation.
> > - Queries for a domain that you haven't seen before.
> > Hope this helps,
> > --Vlad
> Many many thanks Vlad for your explanation ... I'll think about it this
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro