[Bro] DNS behavior alerting

Vern Paxson vern at berkeley.edu
Sun Oct 4 17:32:34 PDT 2015

> In my experience, detecting DNS tunneling with Anthony's first
> suggestion may be the easiest and most effective way. I have a script
> that does that and it's very high quality (no false positives except
> for anti-virus DNS activity, which is easily whitelisted).

For those interested in this, we developed a general framework for detecting
surreptitious communication over DNS:


We mainly explored it for off-line use, but also showed that in principle
it could run in real-time.  We didn't do a Bro implementation, though.


More information about the Bro mailing list