Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: capturing full URL information via DNS request logs

From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Thu, 10 Oct 2013 17:22:38 +0000
Seems like that's still what ASA's do.  We haven't made a full analysis of their behavior, and thus we don't have what 
you would call a solution.

The existing behavior suffices to handle enough of our use-cases  (malware downloads and bot activity &c) to keep us 
more than busy.

   -jml

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Philip 
Webster
Sent: Wednesday, October 09, 2013 7:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] capturing full URL information via DNS request logs

On 10/10/2013 08:03, John Ladwig wrote:

Cisco's ASA firewall line also logs http URIs at Informational priority.


We looked at the ASA a while back and it seemed that it would only log
the first URI in a connection. So we could see that a user went to
http://www.google.com/, for example, however if they maintained a
persistent HTTP connection then we wouldn't see the following search
requests.

Have you encountered this, and if so are you aware of a solution?
-- 
Philip Webster
Senior IT Security Engineer | Queensland University of Technology
Previous By Date Next
Previous By Thread Next

Current thread: