Re: capturing full URL information via DNS request logs

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Oct 09, 2013 at 08:03:02PM +0000, Youngquist, Jason R. wrote:

> us in order to get this information.  Instead of getting an IP address
> that points to Akamai (ie. this is want is captured via netflow), one
> person suggested that it was relatively easy to capture the original
> content that the user was downloading.  Ie. in the original DNS
> request the URL information would be included in the packet info.  

As others have pointed out, that's not quite right. You can get the
domain name but not the URL. Unless you're grabbing passive DNS then you
won't be able to match domain lookups with corresponding destination IP
addresses.

> Are people using DNS logs to capture this type of URL traffic?  If so,
> does it provide the full URL, or just the DNS host name?  DNS host
> name would be useful, but full URL would be even better.

Using SecurityOnion to pull DNS information with Bro + ELSA:

https://www.youtube.com/watch?v=33HZyIxbg6c

Doing something similar with Bro + ELSA (Ubuntu 12 LTS, not SecurityOnion):

http://opensecgeek.blogspot.com/2013/02/nsm-with-bro-ids-part-4-bro-and-elsa.html

You can substitute Splunk or whatever logging solution you use for ELSA,
if it speaks syslog then it's trivial to get your bro logs there.

You can do some similar things with the suricata logs but I MUCH prefer
bro for that since you get passive DNS and an equivalent to netflow
out-of-the-box. It's not the best for visualisation but it's *awesome*
for network forensics.

kmw

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlJVy2gACgkQsKMTOtQ3fKFY3gCdGZC7b4qygEJ77nkh2IhmWEcQ
sDIAoIFvr0/7mB9iMowkmtOKJB0/ZsWu
=gP6m
-----END PGP SIGNATURE-----