[Bro] Bad DNS Detection
James Lay
jlay at slave-tothe-box.net
Tue Mar 8 05:57:20 PST 2016
This will get you there:
https://intel.criticalstack.com/
also, not bro related, but graphically shows what you're looking for:
https://github.com/stamparm/maltrail
James
On Tue, 2016-03-08 at 15:18 +0200, Umut Arus wrote:
> Hi Justin,
>
>
>
> Thanks but I need a code or configuration that is query the malware
> dns/ip sources that is trying to connect and raising notices.
>
>
> Or how do you realise in your network malwared DDoS clients with the
> Bro?
>
>
> thanks..
>
>
>
>
> On Tue, Mar 8, 2016 at 3:09 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
> This script that I wrote a while ago may help:
>
>
>
>
>
> It creates an external_dns.log file (which is just dns.log
> that has been pre-filtered for you) as well as raising notices
> when it detects clients using external dns servers.
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160308/f0e0f0ea/attachment-0001.html
More information about the Bro
mailing list