Does Bro have anything built-in for the following scenario:
· Detecting if a network device is looking up over 50 DNS entries in a 1 hour timeframe
Samson Hille
IT Security Analyst
Does Bro have anything built-in for the following scenario:
· Detecting if a network device is looking up over 50 DNS entries in a 1 hour timeframe
Samson Hille
IT Security Analyst
There is nothing built in right now, but it would be pretty easy to write a script to do it. Here’s a quick one...
event bro_init()
{
local r1 = SumStats::Reducer($stream="too_much_dns.recursive_requests", $apply=set(SumStats::SUM));
SumStats::create([$name="too_much_dns",
$epoch=1hr,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["too_much_dns.recursive_requests"]$sum;
},
$threshold=5.0,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["too_much_dns.recursive_requests"];
local dur = duration_to_mins_secs(r$end-r$begin);
local message = fmt("%s did at least %.0f recursive DNS requests in %s", key$host, r$sum, dur);
print message;
}]);
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
if ( msg$RD )
SumStats::observe("too_much_dns.recursive_requests", [$host=c$id$orig_h], [$num=1]);
}