Re: capturing full URL information via DNS request logs

["Youngquist, Jason R." <jryoungquist () CCIS EDU>]

Thanks all for your feedback.  I believe I have been going down the right path all along, just haven't had time to 
devote to this project.

I am currently working with Bro.  That's how I told my CIO we could get URL information.  I had a Bro test instance 
installed on a server for a couple weeks and then the hard drive crashed on it.  Currently rebuilding the server and 
hope to get Bro back up and running so I can make tweaks to get the URL info sent to my SIEM/log collector for analysis 
and or package it into a netflow record that my netflow collector can read.

I have used nprobe and it will capture URL information and put it into a netflow record.

The problem is the URL information is not displayed in my current  netflow collector.  We have Lancope's StealthWatch 
Xe, (BTW, I am a big fan of
them) and were sending stuff from nprobe (before my box crashed) but StealthWatch doesn't know how to display the URL 
information, because it's not in their table schema.  I've been telling Lancope they should add integration with nprobe 
into their product, but they have a competing product called a "flow sensor" which takes a spanned/mirrored port just 
like nprobe and converts it into layer 7 netflow.  I'd like to save the college money, so I'd rather have nprobe 
integration with StealthWatch as a new feature from them for free rather than purchasing their "flow sensor" product.

One could also potentially craft a netflow record via Bro (this was the idea I was thinking about using since nprobe 
doesn't work) and was going to contact the Lancope folks about my idea to try to get a table schema so I could map the 
URL field to one of their table fields.

I know that it is on their radar, but they have other more high priority items they are working on right now.  Maybe 
existing Lancope customers could put a "big in their Lancope sales guy ear" and let them know we would like to see this 
nprobe integration in future releases?

The cool thing about nprobe...it's free for educational institutions.  You don't have to pay a penny.  Everyone should 
be using it.  I've been in contact with the developer of nprobe and she has been quite helpful in helping me get the 
product up and running in my environment.  (can be used on both Windows/Linux)

If you do contact Lancope, please make sure to let me know.  They are quite user focused and are having their first 
users conference here the end of the month in October.  Maybe create a buzz about this idea at the conference so it can 
be bumped up in priority?

Thanks.
Jason Youngquist, CISSP, CISA
Information Security Engineer 
Columbia College - Technology Services
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu