Thursday, January 3, 2013

DNS Visibility with Security Onion 12.04


UPDATE 2013-10-05: See the updated version of this blog post here:
http://securityonion.blogspot.com/2013/10/got-dns-visibility.html

There have been some interesting articles recently on the value of DNS visibility for security teams:

http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/

https://blog.damballa.com/archives/1834/trackback

http://isc.sans.edu/diary.html?storyid=13918


If you don't already have good visibility into your DNS traffic, download Security Onion 12.04 now and see how Bro and ELSA can give you point-and-click DNS visibility in minutes!


Hunting through DNS traffic with Bro and ELSA

2 comments:

  1. Doug,

    Please correct me if I'm wrong, but Bro does not log DNS answers if the answer is coming from an external DNS server. I think the goal of the Cisco CSIRT project was to log DNS answers so that they could detect fast-flux botnets and pre-staged domain names that had their DNS pointed to a loopback address.

    ReplyDelete
  2. Hi Devin,

    I'm not sure what you mean. As far as I know, Bro logs all DNS answers that it sees.

    Doug

    ReplyDelete

Note: Only a member of this blog may post a comment.