[Discussion] features (mainly dns)

• Previous message (by thread): [Discussion] features (mainly dns)
• Next message (by thread): [Discussion] features (mainly dns)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >>       * DNS responses which had a low to very low TTL (time to live)
> >>         value, which is somewhat unusual;
>
> We tried sigs for this a while ago and found that there are as many
> legit low ttl responses as there were hostile. The sigs were reliable
> and relatively low load, but the information wasn't actionable
> unfortunately. Pretty everyone with akami hit on it, etc.
>

Maybe have a whitelist?
or Just include this parameter within a DNS/IP reputation score?


>
>
> >>       * DNS queries which were issued more frequently by the client
> >>         than would be expected given the TTL for that hostname;
>
> How do you mean? Loke looking for a client that's making repeated dns
> queries within the TTL? Maybe poorly coded bots?


Not sure, this was directly quoted from the SANs post :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081118/af72371b/attachment-0002.html>

• Previous message (by thread): [Discussion] features (mainly dns)
• Next message (by thread): [Discussion] features (mainly dns)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]