[Bro] Detecting software components that do strange dns queries
Mike Sconzo
sconzo at visiblerisk.com
Wed Mar 20 05:41:06 PDT 2013
Are you asking from a host perspective (now that you've seen this
traffic on a network, what is causing it on the host) or from a
network perspective (how do I find suspicious queries like the in
network traffic)?
-=Mike
On Wed, Mar 20, 2013 at 3:03 AM, Heine Lysemose <lysemose at gmail.com> wrote:
> Hi
>
> Maybe this could help you...
> http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection
>
> /Lysemose
>
>
> On Wed, Mar 20, 2013 at 8:25 AM, C. L. Martinez <carlopmart at gmail.com>
> wrote:
>>
>> Hi all,
>>
>> Is it possible to detect what software components do "strange"
>> queries?? For example, in our network, we detected queries to
>> "abnormal" domains like these:
>>
>>
>> 1363608064.778525|VmUnpNRkiF5|192.168.65.160|2933|10.196.0.67|53|udp|54891|gqtpngnqt.com|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
>>
>> 1363608064.792823|JT4SuPtIQ3k|192.168.65.160|2940|10.196.0.67|53|udp|3431|wvxzfmyw.cc|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
>>
>> 1363608064.794325|tYWZyjP18fd|192.168.65.160|2941|10.196.0.67|53|udp|15204|shlghhw.org|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
>>
>> 1363608079.436835|TO6u5Zqbx1|192.168.65.160|2962|10.196.0.67|53|udp|50810|xqqkwjqdbhh.ws|1|C_INTERNET|1|A|0|NOERROR|F|F|T|T|0|149.20.56.32,149.20.56.33,149.20.56.34|6024.000000,6024.000000,6024.000000
>>
>> .. and a lot of more.
>>
>> Any ideas how to accomplish this??
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
cat ~/.bash_history > documentation.txt
More information about the Bro
mailing list