Bad DNS Detection

Umut_Arus · March 8, 2016, 6:53am

Hi,

I’m setting up bro IDS recently. I will listen DNS traffic by span port but I wonder, how can I detect malwares and victim clients that is used bad DNS in network?

thanks.

Azoff_Justin_S · March 8, 2016, 1:09pm

This script that I wrote a while ago may help:

It creates an external_dns.log file (which is just dns.log that has been pre-filtered for you) as well as raising notices when it detects clients using external dns servers.

external-dns.bro (2.67 KB)

Umut_Arus · March 8, 2016, 1:18pm

Hi Justin,

Thanks but I need a code or configuration that is query the malware dns/ip sources that is trying to connect and raising notices.

Or how do you realise in your network malwared DDoS clients with the Bro?

thanks…

James_inthe_box · March 8, 2016, 1:57pm

This will get you there:

https://intel.criticalstack.com/

also, not bro related, but graphically shows what you’re looking for:

https://github.com/stamparm/maltrail

James

Umut_Arus · March 9, 2016, 1:53pm

Hi James,

Maltrail is a wonderful tool that I’m looking for.

thanks.

Topic		Replies	Views
DNS behavior alerting Zeek	4	166	May 6, 2022
DDoS detection Zeek	3	132	May 6, 2022
DNS query logging Zeek	4	109	May 6, 2022
reverse DNS based on bro's forward DNS query log Zeek	3	83	May 6, 2022
Blacklist DNS alerting Zeek	2	88	May 6, 2022

Bad DNS Detection

Related topics