[Discussion] features (mainly dns)
David Glosser
david.glosser at gmail.com
Mon Nov 17 11:48:31 UTC 2008
See http://isc.sans.org/diary.html?storyid=5345, I think there are some
interesting possible features, especially in the field of DNS and anomaly
detection:
- DNS responses which had a low to very low TTL (time to live) value,
which is somewhat unusual;
- DNS responses which contained a domain that belonged to one of a long
list of dynamic DNS providers;
- DNS queries which were issued more frequently by the client than would
be expected given the TTL for that hostname;
- DNS requests for a hostname outside of the local namespace which were
responded to with a resource record pointing to an IP address within either
127.0.0.0/8, 0.0.0.0/32, RFC1918 IP space, or anywhere inside the public
or private IP space of the organization;
- Consecutive DNS responses for a single unique hostname which contained
only a single resource record, but which changed more than twice every 24
hours.
- Persistent connections to HTTP servers on the internet, even outside
regular office hours, can be normal: just think of software update
mechanisms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081117/0eb98508/attachment-0002.html>
More information about the Discussion
mailing list