[Bro] Fast flux domains and Bro
Seth Hall
seth at icir.org
Fri Feb 17 07:19:15 PST 2012
On Feb 17, 2012, at 9:34 AM, relevant username wrote:
> I was wondering if anyone on the list has any experience using Bro to detect fast flux domains.
I wrote a script quite a few years ago, but I haven't touched it in a long time and it likely won't work right on 2.0. It's a very short script though and could probably be ported fairly easily. It uses the detection technique outlined in this paper:
http://pi1.informatik.uni-mannheim.de/filepool/publications/fast-flux-ndss08.pdf
Someone else had a fast flux detection script at that time too, but I don't know if they still have it floating around anywhere or not. I attached my script to this email. When it's ported to 2.x we can get it into the contributed scripts repository.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns-fastflux.bro
Type: application/octet-stream
Size: 2593 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120217/cd51d335/attachment.obj
-------------- next part --------------
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list