[Oisf-users] SURICATA: DNS Reputation, forwarder/capture on DNS servers for suricata?

Kevin Ross kevross33 at googlemail.com
Tue Feb 15 01:12:20 UTC 2011

Hi, just a few talking points/ideas for the DNS reputation system for
suricata that I thought I might as well get in before the OISF meeting:

- Obviously have DNS reputation on the network as an option but there is a
design problem there. Most people will have their suricata installs on the
perimeter watching traffic coming in and out which is fine but when it comes
to DNS in large organisation that have internal DNS servers what you get is
the DNS server doing a recursive lookup on the clients behalf which means
you only see the DNS server as the source host. This means if you are
applying DNS reputation, especially one which is score based that you never
really see the source host unless you are in between the DNS server and the
client. What you could have as an option is a small listener capturing DNS
queries installed on the DNS server (windows, *nix etc) and forwarding them
to the suricata device. This means you will not miss any DNS queries if you
install it on all your internal DNS servers and then you have it on the
network to capture direct queries from a client (negating known DNS servers
if DNS capture and forwarding of DNS queries is used) and this allows you to
see what real client is looking up malware domains or apply reputation
intelligence and patterns to the true host.

- Have a domain suffix reputation score reduction system to track a host.
i.e suggest some ideal defaults in a config file and people can add/take
away if they want to use the system and then common "bad" domain lookups can
apply a score and keep note of a host. If the host makes repeated "bad"
lookups the infection score can be increased until an alert is generated
(i.e repeated lookups to .cn, .ro and .ru domains from a single host).

- checks against known bad domains (spyeye/zeus trackers, malwaredomains
etc) which I know will be in there anyway. Also have an ET blacklist or
something in which DNS lookups from the sandnet are fed into the system.

Regards, Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110215/98ac3b2d/attachment-0002.html>

More information about the Oisf-users mailing list