Hi, just a few talking points/ideas for the DNS reputation system for suricata that I thought I might as well get in before the OISF meeting:<br><br>- Obviously have DNS reputation on the network as an option but there is a design problem there. Most people will have their suricata installs on the perimeter watching traffic coming in and out which is fine but when it comes to DNS in large organisation that have internal DNS servers what you get is the DNS server doing a recursive lookup on the clients behalf which means you only see the DNS server as the source host. This means if you are applying DNS reputation, especially one which is score based that you never really see the source host unless you are in between the DNS server and the client. What you could have as an option is a small listener capturing DNS queries installed on the DNS server (windows, *nix etc) and forwarding them to the suricata device. This means you will not miss any DNS queries if you install it on all your internal DNS servers and then you have it on the network to capture direct queries from a client (negating known DNS servers if DNS capture and forwarding of DNS queries is used) and this allows you to see what real client is looking up malware domains or apply reputation intelligence and patterns to the true host. <br>
<br>- Have a domain suffix reputation score reduction system to track a host. i.e suggest some ideal defaults in a config file and people can add/take away if they want to use the system and then common "bad" domain lookups can apply a score and keep note of a host. If the host makes repeated "bad" lookups the infection score can be increased until an alert is generated (i.e repeated lookups to .cn, .ro and .ru domains from a single host).<br>
<br>- checks against known bad domains (spyeye/zeus trackers, malwaredomains etc) which I know will be in there anyway. Also have an ET blacklist or something in which DNS lookups from the sandnet are fed into the system.<br>
<br>Regards, Kevin<br><br><div style="visibility: hidden; left: -5000px;" id="avg_ls_inline_popup"></div><style type="text/css">#avg_ls_inline_popup{position: absolute;z-index: 9999;padding: 0px 0px;margin-left: 0px;margin-top: 0px;overflow: hidden;word-wrap: break-word;color: black;font-size: 10px;text-align: left;line-height: 130%;}</style>