Thursday, January 3, 2013

DNS Visibility with Security Onion 12.04

UPDATE 2013-10-05: See the updated version of this blog post here:

There have been some interesting articles recently on the value of DNS visibility for security teams:

If you don't already have good visibility into your DNS traffic, download Security Onion 12.04 now and see how Bro and ELSA can give you point-and-click DNS visibility in minutes!

Hunting through DNS traffic with Bro and ELSA


Devin McLean said...


Please correct me if I'm wrong, but Bro does not log DNS answers if the answer is coming from an external DNS server. I think the goal of the Cisco CSIRT project was to log DNS answers so that they could detect fast-flux botnets and pre-staged domain names that had their DNS pointed to a loopback address.

Doug Burks said...

Hi Devin,

I'm not sure what you mean. As far as I know, Bro logs all DNS answers that it sees.