[Discussion] features (mainly dns)
Matt Jonkman
jonkman at jonkmans.com
Tue Nov 18 15:35:34 UTC 2008
Dnswall is interesting.
More inline:
CunningPike wrote:
>> * DNS responses which had a low to very low TTL (time to live)
>> value, which is somewhat unusual;
We tried sigs for this a while ago and found that there are as many
legit low ttl responses as there were hostile. The sigs were reliable
and relatively low load, but the information wasn't actionable
unfortunately. Pretty everyone with akami hit on it, etc.
>> * DNS responses which contained a domain that belonged to one of
>> a long list of dynamic DNS providers;
That's an interesting one. A good way for us to use DNS reputation adata
that we'd surely collect alongside IP reputation data.
>> * DNS queries which were issued more frequently by the client
>> than would be expected given the TTL for that hostname;
How do you mean? Loke looking for a client that's making repeated dns
queries within the TTL? Maybe poorly coded bots?
>> * DNS requests for a hostname outside of the local namespace
>> which were responded to with a resource record pointing to an
>> IP address within either 127.0.0.0/8, 0.0.0.0/32, RFC1918 IP
>> space, or anywhere inside the public or private IP space of
>> the organization;
Absolutely here. But would require a good deal of local ocnfig, but
worthwhile I think.
Great Ideas!!
Matt
>
> dnswall (http://code.google.com/p/google-dnswall/) deals with RFC1918
> replies.
>
>> * Consecutive DNS responses for a single unique hostname which
>> contained only a single resource record, but which changed
>> more than twice every 24 hours.
>> * Persistent connections to HTTP servers on the internet, even
>> outside regular office hours, can be normal: just think of
>> software update mechanisms.
>>
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list