[Bro] DNS behavior alerting
Brian Kellogg
theflakes at gmail.com
Fri Oct 2 10:52:35 PDT 2015
I started a Bro script a while ago that I haven't had time to develop much
beyond the starter framework. The script is meant to do the below. I
started working on it again but I'd welcome any help/feedback anyone would
be willing to offer. It does try to do some basic DNS tunneling detection
but it needs more intelligence built into it. For DNS tunneling the script
looks at the query size and the return message size and then uses sumstats
to alert on any host that crosses a specified threshold of supicious DNS
reqs/msgs seen.
I have seen that there are a lot of services out there conducting large
hostname queries which creates some FPs.
# Raises notices for odd or suspicious DNS traffic
# - Detects DNS on non-standard ports
# - Attempts to detect DNS tunneling
# - intelligence for different query types --- TO DO
# - statistical analysis' --- TO DO
# - Detect DNS responses with interesting IPs --- TO DO
*Script on GitHub:*
https://github.com/theflakes/bro-scripts/blob/master/2.4-scripts/dns-bad_behavior.bro
-Brian Kellogg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151002/400ce842/attachment.html
More information about the Bro
mailing list