Security Onion Blog

Friday, August 17, 2012

Dr. J's Poor Man DNS Anomaly Detection using Bro

Dr. Johannes Ullrich of the SANS Internet Storm Center posted a great DNS Anomaly Detection script based on the query logs coming from his DNS server. We can do the same thing with Bro's dns.log (where Bro captures all the DNS queries it sees on the network):
http://code.google.com/p/security-onion/wiki/DNSAnomalyDetection

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Search This Blog

Featured Post

Early bird discount for our next Security Onion training class!

Security Onion for Analysts and Threat Hunters Virtual - Apr 29-May 2, 2025 Use the following code before Friday February 28, 2025 to get 10...

Popular Posts

  • Community Webinars featuring Security Onion
    Thanks to all who attended the Zeek webinar on May 27! For those weren't able to join, the recording should be available soon and we wi...
  • Security Onion 2.4 Base OS
    Introduction Recent events have forced us to change course on the base operating system (OS) for Security Onion 2.4.  On 6/21/2023, Red Hat ...
  • Security Advisory for Squert
    Introduction Jeffrey Medsger reported several command injection and SQL injection vulnerabilities in Squert.  Wes Lambert also discovered s...

Blog Archive