[Bro] Blacklist DNS alerting
Bob Rotsted
rrotsted at pdx.edu
Wed Mar 21 09:34:49 PDT 2012
Hello all,
I recently spun up my first Bro instance and I'm trying to find the most
elegant way to alert any time there is a query for a particular set of
malicious domains (ex.
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist) .
Would this be best accomplished with a signature? Would I be better off
writing a hook for Bro's core DNS script?
Any input will be greatly appreciated,
Bob
--
Bob Rotsted
Network Security Analyst
Portland State University
Desk: 503-725-6215
Cell: 503-208-6575
314B D581 A8CD E28A A690 7E9D 5B43 4B28 0EB6 A21A
More information about the Bro
mailing list