Educause Security Discussion mailing list archives
Re: capturing full URL information via DNS request logs
From: "Youngquist, Jason R." <jryoungquist () CCIS EDU>
Date: Thu, 10 Oct 2013 16:24:30 +0000
Thanks all for your feedback. I believe I have been going down the right path all along, just haven't had time to devote to this project. I am currently working with Bro. That's how I told my CIO we could get URL information. I had a Bro test instance installed on a server for a couple weeks and then the hard drive crashed on it. Currently rebuilding the server and hope to get Bro back up and running so I can make tweaks to get the URL info sent to my SIEM/log collector for analysis and or package it into a netflow record that my netflow collector can read. I have used nprobe and it will capture URL information and put it into a netflow record. The problem is the URL information is not displayed in my current netflow collector. We have Lancope's StealthWatch Xe, (BTW, I am a big fan of them) and were sending stuff from nprobe (before my box crashed) but StealthWatch doesn't know how to display the URL information, because it's not in their table schema. I've been telling Lancope they should add integration with nprobe into their product, but they have a competing product called a "flow sensor" which takes a spanned/mirrored port just like nprobe and converts it into layer 7 netflow. I'd like to save the college money, so I'd rather have nprobe integration with StealthWatch as a new feature from them for free rather than purchasing their "flow sensor" product. One could also potentially craft a netflow record via Bro (this was the idea I was thinking about using since nprobe doesn't work) and was going to contact the Lancope folks about my idea to try to get a table schema so I could map the URL field to one of their table fields. I know that it is on their radar, but they have other more high priority items they are working on right now. Maybe existing Lancope customers could put a "big in their Lancope sales guy ear" and let them know we would like to see this nprobe integration in future releases? The cool thing about nprobe...it's free for educational institutions. You don't have to pay a penny. Everyone should be using it. I've been in contact with the developer of nprobe and she has been quite helpful in helping me get the product up and running in my environment. (can be used on both Windows/Linux) If you do contact Lancope, please make sure to let me know. They are quite user focused and are having their first users conference here the end of the month in October. Maybe create a buzz about this idea at the conference so it can be bumped up in priority? Thanks. Jason Youngquist, CISSP, CISA Information Security Engineer Columbia College - Technology Services 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu http://www.ccis.edu
Current thread:
- Re: capturing full URL information via DNS request logs, (continued)
- Re: capturing full URL information via DNS request logs Shettler, David (Oct 09)
- Re: capturing full URL information via DNS request logs Roger A Safian (Oct 09)
- Re: capturing full URL information via DNS request logs Rich Graves (Oct 09)
- Re: capturing full URL information via DNS request logs Ian McDonald (Oct 09)
- Re: capturing full URL information via DNS request logs Will Froning (Oct 09)
- Re: capturing full URL information via DNS request logs Justin Azoff (Oct 09)
- Re: capturing full URL information via DNS request logs Kevin Wilcox (Oct 09)
- Re: capturing full URL information via DNS request logs Dave Koontz (Oct 09)
- Re: capturing full URL information via DNS request logs John Ladwig (Oct 09)
- Re: capturing full URL information via DNS request logs Philip Webster (Oct 09)
- Re: capturing full URL information via DNS request logs Youngquist, Jason R. (Oct 10)
- Re: capturing full URL information via DNS request logs John Ladwig (Oct 10)
- Re: capturing full URL information via DNS request logs John Ladwig (Oct 09)
- Re: capturing full URL information via DNS request logs Harry Hoffman (Oct 09)