[Bro] DNS behavior alerting

[Vern Paxson]

> In my experience, detecting DNS tunneling with Anthony's first
> suggestion may be the easiest and most effective way. I have a script
> that does that and it's very high quality (no false positives except
> for anti-virus DNS activity, which is easily whitelisted).

For those interested in this, we developed a general framework for detecting
surreptitious communication over DNS:

	http://www.icir.org/vern/papers/covert-dns-usec13.pdf

We mainly explored it for off-line use, but also showed that in principle
it could run in real-time.  We didn't do a Bro implementation, though.

		Vern