PaulDotCom mailing list archives
Re: DNS Query capture and analysis
From: "Liam Randall" <Liam.Randall () gigaco com>
Date: Mon, 10 Jun 2013 17:08:57 -0400
<pro_bro> Bro will make a nice DNS log, although if you are monitoring at the border you are going to see your recursive DNS logs. Our intel framework will test both IP & domain on dns requests and replies. We’ve also got some DGA’s implemented in Bro so you can test for them dynamically: https://github.com/sethhall/bro-domain-generation Bro will also do dynamic protocol detection so you can just search your logs like this to get a count of all dns detected by host/port pair: zcat */dns.* | bro-cut id.resp_h id.resp_p | sort | uniq -c | sort -n count / server / port 49250 8.8.8.8 53 66291 ff02::1:3 5355 77375 224.0.0.252 5355 142954 129.121.254.2 53 188652 192.168.3.255 137 334508 192.168.7.255 137 1087534 129.121.254.1 53 Bro-cut is our log parsing tool; you can grep, sed, & awk your way through the logs. </pro_bro> Disclosure: I am on the bro team (because I love it) There are a lot of BlackHole/dns sinkhole files floating around you can use, such as: http://www.malwaredomains.com/?page_id=66 From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Jon Molesa Sent: Wednesday, May 29, 2013 2:13 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] DNS Query capture and analysis Good point. On Tue, May 28, 2013 at 11:23 AM, allison nixon <elsakoo () gmail com> wrote: If you are interested in malware related activity, you may not want to limit it to only port 53. You would have to write tcpdump filters around the specific flags that specify DNS traffic On Tue, May 28, 2013 at 10:55 AM, Jon Molesa <rjmolesa () consoltec net> wrote: To create a pcap that contains only dns lookups tcpdump -vvv -i wan0 -s 0 -l port 53 -w dns-only.pcap. To parse a larger pcap containing other protocols tcpdump -vvv -s 0 -l port 53 -r alltraffic.pcap. On Sun, May 26, 2013 at 9:53 PM, Tim Parker <timparkersec () gmail com> wrote: What's the best way to capture and analyze DNS queries and responses on my LAN? Are there any good tools out there for this? I can run a full capture on the WAN interface, but then what's good for automating the extraction of the DNS traffic? Thanks! _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- Jon Molesa rjmolesa () consoltec net Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer are in the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it out aynawy. ... so please excuse me for every typo in the email above. Reference: https://github.com/Ettercap/ettercap/blob/master/README _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- Jon Molesa rjmolesa () consoltec net Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer are in the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it out aynawy. ... so please excuse me for every typo in the email above. Reference: https://github.com/Ettercap/ettercap/blob/master/README
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: DNS Query capture and analysis, (continued)
- Re: DNS Query capture and analysis Robin Wood (May 27)
- Re: DNS Query capture and analysis Harri Sylvander (May 27)
- Re: DNS Query capture and analysis John Bond (May 27)
- Re: DNS Query capture and analysis Ryan B (May 27)
- Re: DNS Query capture and analysis Frank McClain (May 28)
- Re: DNS Query capture and analysis Tim Parker (May 28)
- Re: DNS Query capture and analysis Jon Molesa (May 29)
- Re: DNS Query capture and analysis Ryan B (May 27)
- Re: DNS Query capture and analysis Jon Molesa (May 28)
- Re: DNS Query capture and analysis allison nixon (May 29)
- Re: DNS Query capture and analysis Jon Molesa (May 30)
- Re: DNS Query capture and analysis Liam Randall (Jun 11)
- Re: DNS Query capture and analysis allison nixon (May 29)