<pro_bro> Bro will make a nice DNS log, although if you are monitoring at the border you are going to see your recursive DNS logs. Our intel framework will test both IP & domain on dns requests and replies.
We’ve also got some DGA’s implemented in Bro so you can test for them dynamically: https://github.com/sethhall/bro-domain-generation Bro will also do dynamic protocol detection so you can just search your logs like this to get a count of all dns detected by host/port pair: zcat */dns.* | bro-cut id.resp_h id.resp_p | sort | uniq -c | sort -n count / server / port 49250 8.8.8.8 53 66291 ff02::1:3 5355 77375 224.0.0.252 5355 142954 129.121.254.2 53 188652 192.168.3.255 137 334508 192.168.7.255 137 1087534 129.121.254.1 53 Bro-cut is our log parsing tool; you can grep, sed, & awk your way through the logs. </pro_bro> Disclosure: I am on the bro team (because I love it) There are a lot of BlackHole/dns sinkhole files floating around you can use, such as: http://www.malwaredomains.com/?page_id=66 From: [email protected] [mailto:[email protected]] On Behalf Of Jon Molesa Sent: Wednesday, May 29, 2013 2:13 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] DNS Query capture and analysis Good point. On Tue, May 28, 2013 at 11:23 AM, allison nixon <[email protected]> wrote: If you are interested in malware related activity, you may not want to limit it to only port 53. You would have to write tcpdump filters around the specific flags that specify DNS traffic On Tue, May 28, 2013 at 10:55 AM, Jon Molesa <[email protected]> wrote: To create a pcap that contains only dns lookups tcpdump -vvv -i wan0 -s 0 -l port 53 -w dns-only.pcap. To parse a larger pcap containing other protocols tcpdump -vvv -s 0 -l port 53 -r alltraffic.pcap. On Sun, May 26, 2013 at 9:53 PM, Tim Parker <[email protected]> wrote: What's the best way to capture and analyze DNS queries and responses on my LAN? Are there any good tools out there for this? I can run a full capture on the WAN interface, but then what's good for automating the extraction of the DNS traffic? Thanks! _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- Jon Molesa [email protected] Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer are in the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it out aynawy. ... so please excuse me for every typo in the email above. Reference: https://github.com/Ettercap/ettercap/blob/master/README _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- Jon Molesa [email protected] Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer are in the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it out aynawy. ... so please excuse me for every typo in the email above. Reference: https://github.com/Ettercap/ettercap/blob/master/README
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
