Got it. At the moment, I've only got the capability to capture LAN <--> Internet.
On Thu, Jan 7, 2016 at 3:25 PM, Kennedy, Jim <[email protected]> wrote: > > > > > It all depends on what you are using, what it is monitoring and where it > monitoring. In my case I do a traffic capture on all traffic to and from my > servers. So I too see the server make the request, and also the client. > Then the box analyzes all the traffic. A second monitoring point to and > from the internet is in the works. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Richard Stovall > *Sent:* Thursday, January 7, 2016 3:19 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Source of DNS queries > > > > In this instance I don't know the original source of the query, be it an > iPhone, PC, server, or whatever. Trying to find a way to make discovering > that device as easy as possible. > > > > On Thu, Jan 7, 2016 at 2:44 PM, Ed Ziots <[email protected]> wrote: > > I agree the malicious iPhone should be blocked then you can parse firewall > logs to see who are the connection and just put that on a egress filter > last firewall block rule. > > Ed > > On Jan 7, 2016 2:42 PM, "Michael B. Smith" <[email protected]> wrote: > > Why are you averse to scanning the logs? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Richard Stovall > *Sent:* Thursday, January 7, 2016 1:49 PM > *To:* [email protected] > *Subject:* [NTSysADM] Source of DNS queries > > > > I am in the early stages of deploying a SIEM solution and one of the > things that pop up occasionally are alarms for when a DNS query is > conducted and the response contains a known-malicious ip. What I'm trying > to do is figure out which machine queried the DNS server because the alert > just shows that a query response with the malicious ip went back to the DNS > server. > > > > Short of enabling DNS debug logging on my MS DNS servers and picking > through them to find the source of the query, is there another solution > that's more permanent? > > > > I'm thinking that if I had something like a "DNS proxy" that does the kind > of logging I'm looking for, that would be great. Essentially a DNS server > that forwards everything on to the 'regular' servers. > > > > client <--> proxy <--> internal DNS server <--> external DNS servers > > > > Just messing around with ideas. Anyone have a solution to this already in > place? (Preferably one that's affordable for the little guys. :-) > > > > Thanks, > RS > > >
