[Oisf-users] practical use of dns log

Kevin Ross kevross33 at googlemail.com
Wed Nov 27 09:16:44 UTC 2013


With DNS if you haven't already I would also suggest using this:

https://github.com/gamelinux/passivedns
www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-
dns-records
http://www.net-security.org/article.php?id=1844&p=1<http://www.net-security.org/article.php?id=1844&p=2>
.

I use it and I find its ability to query quickly via web interface or
having a mysql database I can do other queries and try ideas on useful
(such as newly seen suspicious domains etc). Also blacklists & regex
support and as described in the last link provided I use this in
combination with a SIEM to identify domain generation algorithms and it has
proven reliable against Zeus and other DGA malware.

While it may not be as verbose in tracing down where queries are coming
from (especially if you can get a sensor in between your clients and DNS
servers to get the source) I find it excellent for large scale analysis and
queries. Also with the web interface I have Virustotal (which is excellent
for passiveDNS as it links malware from or speaking to the address and
other files), BFK and also my local PDNS as Snorby lookup sources and I
find the local one exceptionally useful as when you have a query you can
see all the domain names that we actually queried inside your network for
this and then can quickly determine other linked IPs, domain names etc seen
in your organisation. Also given that the database size in a large network
with 30,000 users is relatively small for now nearly 2 months of data
(500MB) so keeping large sets of historic data is possible to find later
malicious domains.

So far using this I have looked into using the data reliably to detect
these things:
- DGA malware
- Other malware domains
- Malicious domains (exploit kits, fake AVs etc).
- Now looking into fast flux detection and also other ways of detecting
malicious hosting infrastructure.

I think once I have some kind of decent data reduction on the basic queries
on the data already available I hoping to output that data from the
database and do other automatic analysis on it to reduce that set further
with other features (such as geoIP, creation dates etc).

Oh and reading the academic papers from Damballa
https://www.damballa.com/damballa-labs/publications.php and
openDNS/Umbrella Labs http://labs.umbrella.com/blog/ may help give you
other ideas of using your DNS data to detect badness however you choose to
collect your DNS data.

Hope that helps you a bit,
Kevin



On 26 November 2013 08:49, Christophe Vandeplas <christophe at vandeplas.com>wrote:

> Hi list,
>
>
> In the past I've been using another tool to do DNS logging, and now
> I'd like to use Suricata for this. The format of the file is
> completely different, and also a part of the interpretation (Suricata
> is a LOT more verbose and complete)
>
> DNS logging of Suricata is mulitiple lines per DNS request (and
> response). So searching for things require multiple greps and
> filtering out duplicate ids.
>
> I'm wondering how others use this DNS logging.
> All stories (on or off-list) and practical use-cases are welcome.
> I'll do my best to document these on the wiki so that others can
> benefit from this info.
>
> As far as I understand there seem to be plans to transform the logging
> into json, is there already an idea about when that's to be expected?
>
>
> Thanks
> Kind regards
> Christophe
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20131127/9fcbb5ab/attachment-0002.html>


More information about the Oisf-users mailing list