[Bro] DNS behavior alerting
Vern Paxson
vern at berkeley.edu
Sun Oct 4 17:32:34 PDT 2015
> In my experience, detecting DNS tunneling with Anthony's first
> suggestion may be the easiest and most effective way. I have a script
> that does that and it's very high quality (no false positives except
> for anti-virus DNS activity, which is easily whitelisted).
For those interested in this, we developed a general framework for detecting
surreptitious communication over DNS:
http://www.icir.org/vern/papers/covert-dns-usec13.pdf
We mainly explored it for off-line use, but also showed that in principle
it could run in real-time. We didn't do a Bro implementation, though.
Vern
More information about the Bro
mailing list