[Bro] Detecting software components that do strange dns queries
Heine Lysemose
lysemose at gmail.com
Wed Mar 20 01:03:56 PDT 2013
Hi
Maybe this could help you...
http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection
/Lysemose
On Wed, Mar 20, 2013 at 8:25 AM, C. L. Martinez <carlopmart at gmail.com>wrote:
> Hi all,
>
> Is it possible to detect what software components do "strange"
> queries?? For example, in our network, we detected queries to
> "abnormal" domains like these:
>
> 1363608064.778525|VmUnpNRkiF5|192.168.65.160|2933|10.196.0.67|53|udp|54891|
> gqtpngnqt.com|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
>
> 1363608064.792823|JT4SuPtIQ3k|192.168.65.160|2940|10.196.0.67|53|udp|3431|wvxzfmyw.cc|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> 1363608064.794325|tYWZyjP18fd|192.168.65.160|2941|10.196.0.67|53|udp|15204|
> shlghhw.org|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> 1363608079.436835|TO6u5Zqbx1|192.168.65.160|2962|10.196.0.67|53|udp|50810|
> xqqkwjqdbhh.ws
> |1|C_INTERNET|1|A|0|NOERROR|F|F|T|T|0|149.20.56.32,149.20.56.33,149.20.56.34|6024.000000,6024.000000,6024.000000
>
> .. and a lot of more.
>
> Any ideas how to accomplish this??
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130320/734c9e19/attachment.html
More information about the Bro
mailing list