[Bro] Detecting software components that do strange dns queries
Tritium Cat
tritium.cat at gmail.com
Thu Mar 21 13:36:42 PDT 2013
Character frequency analysis.
On Wed, Mar 20, 2013 at 5:41 AM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
> Are you asking from a host perspective (now that you've seen this
> traffic on a network, what is causing it on the host) or from a
> network perspective (how do I find suspicious queries like the in
> network traffic)?
>
> -=Mike
>
> On Wed, Mar 20, 2013 at 3:03 AM, Heine Lysemose <lysemose at gmail.com>
> wrote:
> > Hi
> >
> > Maybe this could help you...
> > http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection
> >
> > /Lysemose
> >
> >
> > On Wed, Mar 20, 2013 at 8:25 AM, C. L. Martinez <carlopmart at gmail.com>
> > wrote:
> >>
> >> Hi all,
> >>
> >> Is it possible to detect what software components do "strange"
> >> queries?? For example, in our network, we detected queries to
> >> "abnormal" domains like these:
> >>
> >>
> >>
> 1363608064.778525|VmUnpNRkiF5|192.168.65.160|2933|10.196.0.67|53|udp|54891|
> gqtpngnqt.com|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> >>
> >>
> 1363608064.792823|JT4SuPtIQ3k|192.168.65.160|2940|10.196.0.67|53|udp|3431|wvxzfmyw.cc|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> >>
> >>
> 1363608064.794325|tYWZyjP18fd|192.168.65.160|2941|10.196.0.67|53|udp|15204|
> shlghhw.org|1|C_INTERNET|1|A|-|-|F|F|T|F|0|-|-
> >>
> >>
> 1363608079.436835|TO6u5Zqbx1|192.168.65.160|2962|10.196.0.67|53|udp|50810|
> xqqkwjqdbhh.ws
> |1|C_INTERNET|1|A|0|NOERROR|F|F|T|T|0|149.20.56.32,149.20.56.33,149.20.56.34|
> 6024.000000,6024.000000,6024.000000
> >>
> >> .. and a lot of more.
> >>
> >> Any ideas how to accomplish this??
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> cat ~/.bash_history > documentation.txt
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130321/45788f28/attachment.html
More information about the Bro
mailing list