[Bro] DNS behavior alerting
anthony.kasza at gmail.com
Fri Oct 2 12:04:00 PDT 2015
For DNS tunneling detection, look for long qnames with few labels, very low
TTLs, odd qclasses and types (like null), and response rr's with high
ratios of ASCII to non ASCII bytes.
You can also look for bursty queries from a single orig_h for a single
qname (likely with many different subdomains).
Remember that both the client software issuing queries and the name server
software issuing responses need to know how to decode tunneling queries.
Check out the Iodine protocol specification for more info.
On Oct 2, 2015 10:54 AM, "Brian Kellogg" <theflakes at gmail.com> wrote:
> I started a Bro script a while ago that I haven't had time to develop much
> beyond the starter framework. The script is meant to do the below. I
> started working on it again but I'd welcome any help/feedback anyone would
> be willing to offer. It does try to do some basic DNS tunneling detection
> but it needs more intelligence built into it. For DNS tunneling the script
> looks at the query size and the return message size and then uses sumstats
> to alert on any host that crosses a specified threshold of supicious DNS
> reqs/msgs seen.
> I have seen that there are a lot of services out there conducting large
> hostname queries which creates some FPs.
> # Raises notices for odd or suspicious DNS traffic
> # - Detects DNS on non-standard ports
> # - Attempts to detect DNS tunneling
> # - intelligence for different query types --- TO DO
> # - statistical analysis' --- TO DO
> # - Detect DNS responses with interesting IPs --- TO DO
> *Script on GitHub:*
> -Brian Kellogg
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro