Thursday, January 3, 2013

DNS Visibility with Security Onion 12.04


UPDATE 2013-10-05: See the updated version of this blog post here:
http://securityonion.blogspot.com/2013/10/got-dns-visibility.html

There have been some interesting articles recently on the value of DNS visibility for security teams:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918


If you don't already have good visibility into your DNS traffic, download Security Onion 12.04 now and see how Bro and ELSA can give you point-and-click DNS visibility in minutes!


Hunting through DNS traffic with Bro and ELSA

2 comments:

Devin McLean said...

Doug,

Please correct me if I'm wrong, but Bro does not log DNS answers if the answer is coming from an external DNS server. I think the goal of the Cisco CSIRT project was to log DNS answers so that they could detect fast-flux botnets and pre-staged domain names that had their DNS pointed to a loopback address.

Doug Burks said...

Hi Devin,

I'm not sure what you mean. As far as I know, Bro logs all DNS answers that it sees.

Doug

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive