[Discussion] features (mainly dns)

• Previous message (by thread): [Discussion] features (mainly dns)
• Next message (by thread): [Discussion] features (mainly dns)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2008-11-17 at 06:48 -0500, David Glosser wrote:
> See http://isc.sans.org/diary.html?storyid=5345, I think there are
> some interesting possible features, especially in the field of DNS and
> anomaly detection:
>       * DNS responses which had a low to very low TTL (time to live)
>         value, which is somewhat unusual;
>       * DNS responses which contained a domain that belonged to one of
>         a long list of dynamic DNS providers;
>       * DNS queries which were issued more frequently by the client
>         than would be expected given the TTL for that hostname;
>       * DNS requests for a hostname outside of the local namespace
>         which were responded to with a resource record pointing to an
>         IP address within either 127.0.0.0/8, 0.0.0.0/32, RFC1918 IP
>         space, or anywhere inside the public or private IP space of
>         the organization;

dnswall (http://code.google.com/p/google-dnswall/) deals with RFC1918
replies.

>       * Consecutive DNS responses for a single unique hostname which
>         contained only a single resource record, but which changed
>         more than twice every 24 hours.
>       * Persistent connections to HTTP servers on the internet, even
>         outside regular office hours, can be normal: just think of
>         software update mechanisms.
> 
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

• Previous message (by thread): [Discussion] features (mainly dns)
• Next message (by thread): [Discussion] features (mainly dns)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]