[Discussion] features (mainly dns)

David Glosser david.glosser at gmail.com
Mon Nov 17 11:48:31 UTC 2008


See http://isc.sans.org/diary.html?storyid=5345, I think there are some
interesting possible features, especially in the field of DNS and anomaly
detection:

   - DNS responses which had a low to very low TTL (time to live) value,
   which is somewhat unusual;
   - DNS responses which contained a domain that belonged to one of a long
   list of dynamic DNS providers;
   - DNS queries which were issued more frequently by the client than would
   be expected given the TTL for that hostname;
   - DNS requests for a hostname outside of the local namespace which were
   responded to with a resource record pointing to an IP address within either
   127.0.0.0/8, 0.0.0.0/32, RFC1918 IP space, or anywhere inside the public
   or private IP space of the organization;
   - Consecutive DNS responses for a single unique hostname which contained
   only a single resource record, but which changed more than twice every 24
   hours.
   - Persistent connections to HTTP servers on the internet, even outside
   regular office hours, can be normal: just think of software update
   mechanisms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081117/0eb98508/attachment-0002.html>


More information about the Discussion mailing list