[Bro] Fast flux domains and Bro

Stephen Chan sychan at lbl.gov
Fri Feb 17 10:47:41 PST 2012


   We wrote a few iterations of FF DNS detectors in Bro several years
back. Our paper is here:

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.185.3991

   We tried a few different approaches, but the one that worked the
best in the end was based on white/black listing ASNs. Scott may
remember it better than I, as he is further along in his recovery from
newborn baby induced memory loss. Jason Lee has probably the freshest
recollection of approach since he worked on the most recent edit of
the paper.

   Steve


On Fri, Feb 17, 2012 at 7:19 AM, Seth Hall <seth at icir.org> wrote:
>
> On Feb 17, 2012, at 9:34 AM, relevant username wrote:
>
>> I was wondering if anyone on the list has any experience using Bro to detect fast flux domains.
>
>
> I wrote a script quite a few years ago, but I haven't touched it in a long time and it likely won't work right on 2.0.  It's a very short script though and could probably be ported fairly easily.  It uses the detection technique outlined in this paper:
>        http://pi1.informatik.uni-mannheim.de/filepool/publications/fast-flux-ndss08.pdf
>
> Someone else had a fast flux detection script at that time too, but I don't know if they still have it floating around anywhere or not.  I attached my script to this email.  When it's ported to 2.x we can get it into the contributed scripts repository.
>
>
>
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list