[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection

Edward Fjellskål edwardfjellskaal at gmail.com
Mon Mar 19 18:54:23 UTC 2012


I did some work on passivedns this weekend, and I have a branch
that now catches and logs nxdomains for testing.

In passivedns I use libldns from nlnetlabs.nl, which makes parsing dns
traffic easier :)
That might be a lib to consider if one wants to implement something
like a dns-preprocessor.

Example output from e2d5d6ce50cf0a6b816e0f2aa7c35970 and its traffic:
(From passivedns)

...
#timestamp||dns-client||dns-server||RR class||Query||Query Type||Answer||TTL
1326607865||192.168.X.Y||1.2.3.4||IN||cicavemejih.eu.||A||NXDOMAIN||0
1326607865||192.168.X.Y||1.2.3.4||IN||tuwiduqotug.eu.||A||NXDOMAIN||0
1326607865||192.168.X.Y||1.2.3.4||IN||xuqotujodaz.eu.||A||NXDOMAIN||0
1326607865||192.168.X.Y||1.2.3.4||IN||kepyxujycaz.eu.||A||NXDOMAIN||0
1326607865||192.168.X.Y||1.2.3.4||IN||magowymafum.eu.||A||NXDOMAIN||0
...

>From my first look, it should be easy to test entropy on those
subdomains, and alert if you would see many such random subdomains
following each other.

Alienvault did some stuff here on heuristics:
http://labs.alienvault.com/labs/index.php/2012/detecting-malware-domains-by-syntax-heuristics/

For what its worth...

e


On 03/19/2012 07:14 PM, Martin Holste wrote:
> How about a dev utility that converts Wireshark modules into
> preprocessors suitable for Suricata?
> 
> On Mon, Mar 19, 2012 at 10:14 AM, Victor Julien <victor at inliniac.net> wrote:
>> On 02/29/2012 10:21 AM, Kevin Ross wrote:
>>> As fast flux more and more used
>>> http://www.damballa.com/press/2012_02_28PR.php and if you look at
>>> samples in the sandnet such as e2d5d6ce50cf0a6b816e0f2aa7c35970
>>> (W32/Shiz) you will see SID 2008470 (ET DNS Excessive NXDOMAIN responses
>>> - Possible DNS Backscatter or Fast Flux DNS Lookups) detects it. However
>>> this detection method while it works does have FPs.
>>>
>>> If however a preprocessor detecting the NXDOMAIN responses where most
>>> (or all of them) are unique then that would reliably detect fast flux
>>> (perhaps by checking if the last domain in the NXDOMAIN response is the
>>> same as this one, if it is then you don't have fast flux, if it is then
>>> move on with the increment till you declare fast flux). So rather than a
>>> host doing lots of requests for the same domain or a few triggering the
>>> sig if you see behaviour like e2d5d6ce50cf0a6b816e0f2aa7c35970 where it
>>> is moving through the generated domains then you reliably have fast flux
>>> detection.
>>>
>>> I believe with more malware moving to fast flux (which vendors seems to
>>> call stealthy but seeing how much fast flux triggers sid 2008470 it
>>> lights up like a christmas tree I doubt it); but I think reliable
>>> detection of fast flux will be important in detecting malware behaviours
>>> in the network.
>>
>> I guess the first thing we'd need is a good DNS parser. Anyone
>> interested in building one?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel




More information about the Oisf-devel mailing list