UPDATE 2013-10-05: See the updated version of this blog post here:
http://securityonion.blogspot.com/2013/10/got-dns-visibility.html
There have been some interesting articles recently on the value of DNS visibility for security teams:
http://blogs.cisco.com/security/tracking-malicious-activity-with-passive-dns-query-monitoring/
https://blog.damballa.com/archives/1834/trackback
http://isc.sans.edu/diary.html?storyid=13918
If you don't already have good visibility into your DNS traffic, download Security Onion 12.04 now and see how Bro and ELSA can give you point-and-click DNS visibility in minutes!
Hunting through DNS traffic with Bro and ELSA |
Doug,
ReplyDeletePlease correct me if I'm wrong, but Bro does not log DNS answers if the answer is coming from an external DNS server. I think the goal of the Cisco CSIRT project was to log DNS answers so that they could detect fast-flux botnets and pre-staged domain names that had their DNS pointed to a loopback address.
Hi Devin,
ReplyDeleteI'm not sure what you mean. As far as I know, Bro logs all DNS answers that it sees.
Doug