[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection
Martin Holste
mcholste at gmail.com
Mon Mar 19 18:14:26 UTC 2012
How about a dev utility that converts Wireshark modules into
preprocessors suitable for Suricata?
On Mon, Mar 19, 2012 at 10:14 AM, Victor Julien <victor at inliniac.net> wrote:
> On 02/29/2012 10:21 AM, Kevin Ross wrote:
>> As fast flux more and more used
>> http://www.damballa.com/press/2012_02_28PR.php and if you look at
>> samples in the sandnet such as e2d5d6ce50cf0a6b816e0f2aa7c35970
>> (W32/Shiz) you will see SID 2008470 (ET DNS Excessive NXDOMAIN responses
>> - Possible DNS Backscatter or Fast Flux DNS Lookups) detects it. However
>> this detection method while it works does have FPs.
>>
>> If however a preprocessor detecting the NXDOMAIN responses where most
>> (or all of them) are unique then that would reliably detect fast flux
>> (perhaps by checking if the last domain in the NXDOMAIN response is the
>> same as this one, if it is then you don't have fast flux, if it is then
>> move on with the increment till you declare fast flux). So rather than a
>> host doing lots of requests for the same domain or a few triggering the
>> sig if you see behaviour like e2d5d6ce50cf0a6b816e0f2aa7c35970 where it
>> is moving through the generated domains then you reliably have fast flux
>> detection.
>>
>> I believe with more malware moving to fast flux (which vendors seems to
>> call stealthy but seeing how much fast flux triggers sid 2008470 it
>> lights up like a christmas tree I doubt it); but I think reliable
>> detection of fast flux will be important in detecting malware behaviours
>> in the network.
>
> I guess the first thing we'd need is a good DNS parser. Anyone
> interested in building one?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
More information about the Oisf-devel
mailing list