[Bro] DNS behavior alerting
vern at berkeley.edu
Sun Oct 4 17:32:34 PDT 2015
> In my experience, detecting DNS tunneling with Anthony's first
> suggestion may be the easiest and most effective way. I have a script
> that does that and it's very high quality (no false positives except
> for anti-virus DNS activity, which is easily whitelisted).
For those interested in this, we developed a general framework for detecting
surreptitious communication over DNS:
We mainly explored it for off-line use, but also showed that in principle
it could run in real-time. We didn't do a Bro implementation, though.
More information about the Bro