[Bro] Bad DNS Detection

Umut Arus umuta at sabanciuniv.edu
Tue Mar 8 05:18:49 PST 2016


Hi Justin,

Thanks but I need a code or configuration that is query the malware dns/ip
sources that is trying to connect and raising notices.

Or how do you realise in your network malwared DDoS clients with the Bro?

thanks..


On Tue, Mar 8, 2016 at 3:09 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:

> This script that I wrote a while ago may help:
>
>
>
>
> It creates an external_dns.log file (which is just dns.log that has been
> pre-filtered for you) as well as raising notices when it detects clients
> using external dns servers.
>
>
> --
> - Justin Azoff
>
>
> > On Mar 8, 2016, at 12:53 AM, Umut Arus <umuta at sabanciuniv.edu> wrote:
> >
> > Hi,
> >
> > I'm setting up bro IDS recently. I will listen DNS traffic by span port
> but I wonder, how can I detect malwares and victim clients that is used bad
> DNS in network?
> >
> > thanks.
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160308/6afbf6de/attachment.html 


More information about the Bro mailing list