[Bro] Bad DNS Detection

James Lay jlay at slave-tothe-box.net
Tue Mar 8 05:57:20 PST 2016


This will get you there:

https://intel.criticalstack.com/

also, not bro related, but graphically shows what you're looking for:

https://github.com/stamparm/maltrail

James

On Tue, 2016-03-08 at 15:18 +0200, Umut Arus wrote:
> Hi Justin,
> 
> 
> 
> Thanks but I need a code or configuration that is query the malware
> dns/ip sources that is trying to connect and raising notices.
> 
> 
> Or how do you realise in your network malwared DDoS clients with the
> Bro?
> 
> 
> thanks..
> 
> 
> 
> 
> On Tue, Mar 8, 2016 at 3:09 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
> 
>         This script that I wrote a while ago may help:
>         
>         
>         
>         
>         
>         It creates an external_dns.log file (which is just dns.log
>         that has been pre-filtered for you) as well as raising notices
>         when it detects clients using external dns servers.
>         
>         
>         
>         _______________________________________________
>         Bro mailing list
>         bro at bro-ids.org
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160308/f0e0f0ea/attachment-0001.html 


More information about the Bro mailing list