[Oisf-users] SURICATA: DNS Reputation, forwarder/capture on DNS servers for suricata?

Edward Fjellskål edwardfjellskaal at gmail.com
Tue Feb 15 03:38:40 EST 2011 

Just a note to this:

I have on my todo to write a Passive DNS daemon.
For those not familiar with passive DNS and what it is good for,
you might look at: http://www.enyo.de/fw/software/dnslogger/#2
and google other sources.

My basic use is to spot IPs that has been used for bad hostnames.
So if something bad is discovered going to evil.org in January 2011,
you can have a list of IPs that *your* network used for those domains
in the past! Thats good input for your flowdata searches :)
Example:

First seen                      Domain    Type    Data
2010-07-21 13:58:51     evil.org       A       127.0.0.1
2010-08-14 16:14:00     evil.org       A        216.7.173.212
2010-10-11  07:15:58    evil.org       A        206.132.83.2
2010-11-20 16:12:56     evil.org       A        38.11.2.165.60

Would it be possible to have such an preprocessor in suricata?
This is possible today with suricata and some glue (write a rule that
caches all the right dns queries, and then parse the unified or get
the payload from DB and extract the info, but not the best way to do this :/

Regards,
Edward


On Tue, Feb 15, 2011 at 2:12 AM, Kevin Ross <kevross33 at googlemail.com> wrote:
> Hi, just a few talking points/ideas for the DNS reputation system for
> suricata that I thought I might as well get in before the OISF meeting:
>
> - Obviously have DNS reputation on the network as an option but there is a
> design problem there. Most people will have their suricata installs on the
> perimeter watching traffic coming in and out which is fine but when it comes
> to DNS in large organisation that have internal DNS servers what you get is
> the DNS server doing a recursive lookup on the clients behalf which means
> you only see the DNS server as the source host. This means if you are
> applying DNS reputation, especially one which is score based that you never
> really see the source host unless you are in between the DNS server and the
> client. What you could have as an option is a small listener capturing DNS
> queries installed on the DNS server (windows, *nix etc) and forwarding them
> to the suricata device. This means you will not miss any DNS queries if you
> install it on all your internal DNS servers and then you have it on the
> network to capture direct queries from a client (negating known DNS servers
> if DNS capture and forwarding of DNS queries is used) and this allows you to
> see what real client is looking up malware domains or apply reputation
> intelligence and patterns to the true host.
>
> - Have a domain suffix reputation score reduction system to track a host.
> i.e suggest some ideal defaults in a config file and people can add/take
> away if they want to use the system and then common "bad" domain lookups can
> apply a score and keep note of a host. If the host makes repeated "bad"
> lookups the infection score can be increased until an alert is generated
> (i.e repeated lookups to .cn, .ro and .ru domains from a single host).
>
> - checks against known bad domains (spyeye/zeus trackers, malwaredomains
> etc) which I know will be in there anyway. Also have an ET blacklist or
> something in which DNS lookups from the sandnet are fed into the system.
>
> Regards, Kevin
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>



-- 
Edward Bjarte Fjellskål
Senior Security Analyst
http://www.gamelinux.org/

More information about the Oisf-users mailing list