[Bro] DNS behavior alerting
liburdi.joshua at gmail.com
Fri Oct 2 13:45:50 PDT 2015
In my experience, detecting DNS tunneling with Anthony's first
suggestion may be the easiest and most effective way. I have a script
that does that and it's very high quality (no false positives except
for anti-virus DNS activity, which is easily whitelisted).
On Fri, Oct 2, 2015 at 3:04 PM, anthony kasza <anthony.kasza at gmail.com> wrote:
> For DNS tunneling detection, look for long qnames with few labels, very low
> TTLs, odd qclasses and types (like null), and response rr's with high ratios
> of ASCII to non ASCII bytes.
> You can also look for bursty queries from a single orig_h for a single qname
> (likely with many different subdomains).
> Remember that both the client software issuing queries and the name server
> software issuing responses need to know how to decode tunneling queries.
> Check out the Iodine protocol specification for more info.
> On Oct 2, 2015 10:54 AM, "Brian Kellogg" <theflakes at gmail.com> wrote:
>> I started a Bro script a while ago that I haven't had time to develop much
>> beyond the starter framework. The script is meant to do the below. I
>> started working on it again but I'd welcome any help/feedback anyone would
>> be willing to offer. It does try to do some basic DNS tunneling detection
>> but it needs more intelligence built into it. For DNS tunneling the script
>> looks at the query size and the return message size and then uses sumstats
>> to alert on any host that crosses a specified threshold of supicious DNS
>> reqs/msgs seen.
>> I have seen that there are a lot of services out there conducting large
>> hostname queries which creates some FPs.
>> # Raises notices for odd or suspicious DNS traffic
>> # - Detects DNS on non-standard ports
>> # - Attempts to detect DNS tunneling
>> # - intelligence for different query types --- TO DO
>> # - statistical analysis' --- TO DO
>> # - Detect DNS responses with interesting IPs --- TO DO
>> Script on GitHub:
>> -Brian Kellogg
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
More information about the Bro