Thursday, January 3, 2013

DNS Visibility with Security Onion 12.04


UPDATE 2013-10-05: See the updated version of this blog post here:
http://securityonion.blogspot.com/2013/10/got-dns-visibility.html

There have been some interesting articles recently on the value of DNS visibility for security teams:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918


If you don't already have good visibility into your DNS traffic, download Security Onion 12.04 now and see how Bro and ELSA can give you point-and-click DNS visibility in minutes!


Hunting through DNS traffic with Bro and ELSA

2 comments:

Devin McLean said...

Doug,

Please correct me if I'm wrong, but Bro does not log DNS answers if the answer is coming from an external DNS server. I think the goal of the Cisco CSIRT project was to log DNS answers so that they could detect fast-flux botnets and pre-staged domain names that had their DNS pointed to a loopback address.

Doug Burks said...

Hi Devin,

I'm not sure what you mean. As far as I know, Bro logs all DNS answers that it sees.

Doug

Search This Blog

Featured Post

Security Onion Documentation printed book now updated for Security Onion 2.4.60!

We've been offering our Security Onion documentation in book form on Amazon for a few years and it's now been updated for the recent...

Popular Posts

Blog Archive