[Bro] DNS behavior alerting

Josh Liburdi liburdi.joshua at gmail.com
Fri Oct 2 13:45:50 PDT 2015

In my experience, detecting DNS tunneling with Anthony's first
suggestion may be the easiest and most effective way. I have a script
that does that and it's very high quality (no false positives except
for anti-virus DNS activity, which is easily whitelisted).

On Fri, Oct 2, 2015 at 3:04 PM, anthony kasza <anthony.kasza at gmail.com> wrote:
> For DNS tunneling detection, look for long qnames with few labels, very low
> TTLs, odd qclasses and types (like null), and response rr's with high ratios
> of ASCII to non ASCII bytes.
> You can also look for bursty queries from a single orig_h for a single qname
> (likely with many different subdomains).
> Remember that both the client software issuing queries and the name server
> software issuing responses need to know how to decode tunneling queries.
> Check out the Iodine protocol specification for more info.
> -AK
> On Oct 2, 2015 10:54 AM, "Brian Kellogg" <theflakes at gmail.com> wrote:
>> I started a Bro script a while ago that I haven't had time to develop much
>> beyond the starter framework.  The script is meant to do the below.  I
>> started working on it again but I'd welcome any help/feedback anyone would
>> be willing to offer.  It does try to do some basic DNS tunneling detection
>> but it needs more intelligence built into it.  For DNS tunneling the script
>> looks at the query size and the return message size and then uses sumstats
>> to alert on any host that crosses a specified threshold of supicious DNS
>> reqs/msgs seen.
>> I have seen that there are a lot of services out there conducting large
>> hostname queries which creates some FPs.
>> # Raises notices for odd or suspicious DNS traffic
>> #   - Detects DNS on non-standard ports
>> #   - Attempts to detect DNS tunneling
>> #       - intelligence for different query types --- TO DO
>> #       - statistical analysis' --- TO DO
>> #   - Detect DNS responses with interesting IPs --- TO DO
>> Script on GitHub:
>> https://github.com/theflakes/bro-scripts/blob/master/2.4-scripts/dns-bad_behavior.bro
>> -Brian Kellogg
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list