[Bro] Using Bro to detect DNS lookups in given timeframe
Seth Hall
seth at icir.org
Wed Mar 18 09:57:08 PDT 2015
> On Mar 18, 2015, at 12:28 PM, Hille, Samson <SHille at heartland.com> wrote:
>
> · Detecting if a network device is looking up over 50 DNS entries in a 1 hour timeframe
There is nothing built in right now, but it would be pretty easy to write a script to do it. Here’s a quick one...
event bro_init()
{
local r1 = SumStats::Reducer($stream="too_much_dns.recursive_requests", $apply=set(SumStats::SUM));
SumStats::create([$name="too_much_dns",
$epoch=1hr,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["too_much_dns.recursive_requests"]$sum;
},
$threshold=5.0,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["too_much_dns.recursive_requests"];
local dur = duration_to_mins_secs(r$end-r$begin);
local message = fmt("%s did at least %.0f recursive DNS requests in %s", key$host, r$sum, dur);
print message;
}]);
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
if ( msg$RD )
SumStats::observe("too_much_dns.recursive_requests", [$host=c$id$orig_h], [$num=1]);
}
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list