Educause Security Discussion mailing list archives
Need SQL guru to help match DNS data to malware domains
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 12 Feb 2010 15:00:39 +1300
Hi We have a database table storing data from dns queries: +----------+------------------+------+-----+-------------------+-------+ | Field | Type | Null | Key | Default | Extra | +----------+------------------+------+-----+-------------------+-------+ | last | timestamp | NO | MUL | CURRENT_TIMESTAMP | | | hostname | varchar(255) | NO | PRI | | | | ip | int(10) unsigned | NO | PRI | 0 | | | client | int(10) unsigned | NO | | 0 | | +----------+------------------+------+-----+-------------------+-------+ where hostname is the hostname that was looked up in the query, ip is the associated ip and client is the ip of the machine that did the look up. Last is the last time we saw this host queried. I am wanting to match this table against the list of malware domains (www.malwaredomains.com) but there is a catch. The malwaredomains are domains, not host names so one can't simply join the tables. Anyone have any idea on how to do this efficiently. What I want is a report of client IPs that have looked up anything within any of the malware domains in the last hour. Russell.
Current thread:
- Need SQL guru to help match DNS data to malware domains Russell Fulton (Feb 11)
- <Possible follow-ups>
- Re: Need SQL guru to help match DNS data to malware domains Stewart James (Feb 11)
- Re: Need SQL guru to help match DNS data to malware domains Randall C Grimshaw (Feb 11)
- Re: Need SQL guru to help match DNS data to malware domains Stewart James (Feb 11)