Thursday, January 3, 2013

DNS Visibility with Security Onion 12.04


UPDATE 2013-10-05: See the updated version of this blog post here:
http://securityonion.blogspot.com/2013/10/got-dns-visibility.html

There have been some interesting articles recently on the value of DNS visibility for security teams:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918


If you don't already have good visibility into your DNS traffic, download Security Onion 12.04 now and see how Bro and ELSA can give you point-and-click DNS visibility in minutes!


Hunting through DNS traffic with Bro and ELSA

2 comments:

Devin McLean said...

Doug,

Please correct me if I'm wrong, but Bro does not log DNS answers if the answer is coming from an external DNS server. I think the goal of the Cisco CSIRT project was to log DNS answers so that they could detect fast-flux botnets and pre-staged domain names that had their DNS pointed to a loopback address.

Doug Burks said...

Hi Devin,

I'm not sure what you mean. As far as I know, Bro logs all DNS answers that it sees.

Doug

Search This Blog

Featured Post

Cyber Monday Discount for Security Onion Merch and On-Demand Training!

We are thankful for our customers and community! As a way of saying thanks, we'd like to offer you a Cyber Monday discount on our merch ...

Popular Posts

Blog Archive