PaulDotCom mailing list archives

Re: DNS Query capture and analysis

From: "Liam Randall" <Liam.Randall () gigaco com>
Date: Mon, 10 Jun 2013 17:08:57 -0400

<pro_bro>

Bro will make a nice DNS log, although if you are monitoring at the border you are going to see your recursive DNS 
logs.  Our intel framework will test both IP & domain on dns requests and replies.

 

We’ve also got some DGA’s implemented in Bro so you can test for them dynamically:

https://github.com/sethhall/bro-domain-generation

 

Bro will also do dynamic protocol detection so you can just search your logs like this to get a count of all dns 
detected by host/port pair:

zcat */dns.* | bro-cut id.resp_h id.resp_p | sort | uniq -c | sort -n

 

count / server / port

  49250 8.8.8.8 53

  66291 ff02::1:3       5355

  77375 224.0.0.252     5355

142954 129.121.254.2   53

188652 192.168.3.255   137

334508 192.168.7.255   137

1087534 129.121.254.1   53

 

Bro-cut is our log parsing tool; you can grep, sed, & awk your way through the logs.

</pro_bro>

 

Disclosure: I am on the bro team (because I love it)

 

There are a lot of BlackHole/dns sinkhole files floating around you can use, such as:

http://www.malwaredomains.com/?page_id=66

 

 

 

From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Jon 
Molesa
Sent: Wednesday, May 29, 2013 2:13 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] DNS Query capture and analysis

 

Good point.

 

On Tue, May 28, 2013 at 11:23 AM, allison nixon <elsakoo () gmail com> wrote:

If you are interested in malware related activity, you may not want to limit it to only port 53.  You would have to 
write tcpdump filters around the specific flags that specify DNS traffic

 

On Tue, May 28, 2013 at 10:55 AM, Jon Molesa <rjmolesa () consoltec net> wrote:

To create a pcap that contains only dns lookups tcpdump -vvv -i wan0 -s 0 -l port 53 -w dns-only.pcap.

 

To parse a larger pcap containing other protocols tcpdump -vvv -s 0 -l port 53 -r alltraffic.pcap.

 

On Sun, May 26, 2013 at 9:53 PM, Tim Parker <timparkersec () gmail com> wrote:

        What's the best way to capture and analyze DNS queries and responses on my LAN?  Are there any good tools out 
there for this?  I can run a full capture on the WAN interface, but then what's good for automating the extraction of 
the DNS traffic?
        
        Thanks! 

         

        _______________________________________________
        Pauldotcom mailing list
        Pauldotcom () mail pauldotcom com
        http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
        Main Web Site: http://pauldotcom.com





 

-- 
Jon Molesa
rjmolesa () consoltec net

Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht
oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist
and lsat ltteer are in the rghit pclae. The rset can be a toatl mses  and
you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed
ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it
out aynawy.

... so please excuse me for every typo in the email above.

Reference: https://github.com/Ettercap/ettercap/blob/master/README 


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





 

-- 

_________________________________
Note to self: Pillage BEFORE burning. 
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





 

-- 
Jon Molesa
rjmolesa () consoltec net

Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht
oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist
and lsat ltteer are in the rghit pclae. The rset can be a toatl mses  and
you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed
ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it
out aynawy.

... so please excuse me for every typo in the email above.

Reference: https://github.com/Ettercap/ettercap/blob/master/README

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Re: DNS Query capture and analysis, (continued)
- Re: DNS Query capture and analysis Robin Wood (May 27)
- Re: DNS Query capture and analysis Harri Sylvander (May 27)
- Re: DNS Query capture and analysis John Bond (May 27)
  - Re: DNS Query capture and analysis Ryan B (May 27)
    - Re: DNS Query capture and analysis Frank McClain (May 28)
    - Re: DNS Query capture and analysis Tim Parker (May 28)
  - Re: DNS Query capture and analysis Jon Molesa (May 29)
- Re: DNS Query capture and analysis Jon Molesa (May 28)
  - Re: DNS Query capture and analysis allison nixon (May 29)
    - Re: DNS Query capture and analysis Jon Molesa (May 30)
    - Re: DNS Query capture and analysis Liam Randall (Jun 11)