Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
5 Ways To Monitor DNS Traffic For Security Threats
Threaded  |  Newest First  |  Oldest First
dougburks
100%
0%
dougburks,
User Rank: Apprentice
9/19/2014 | 6:09:38 AM
Security Onion
Hi Dave,

Great article!  You mentioned Snort, Suricata, Bro, and OSSEC.  Security Onion is a Linux distro that contains all of these tools and it also includes ELSA for easy slicing and dicing of their logs.

 

 
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
9/19/2014 | 9:51:44 AM
Re: Security Onion
I have to second the Security Onion suggestion.  Every organization not matter how small, should have an IDS running and security onion is FREE!
JamesR010
100%
0%
JamesR010,
User Rank: Strategist
9/19/2014 | 1:57:50 PM
BIND!
BIND 9.10 will do a lot of what you mention, right out of the box, and for free: ACLs, verbose logging, rate-limiting (for DDoS attack mitigation), and most importantly, Response Policy Zones. I've been using RPZ for a few months now, and it certainly lives up to its alias as "the DNS firewall". I've caught a few infected desktops trying to reach C&C servers that were NOT identified by my firewall, IDSs, Fire sec appliances, and various AV products.
Lucamp
100%
0%
Lucamp,
User Rank: Strategist
9/22/2014 | 7:37:48 AM
Another tool
Hi Dave,

Fantastic artcile by the way. Another tool that you can use for DNS is AIEngine (https://bitbucket.org/camp0/aiengine). We use it combinated with Redis to register Domains and works fine for us.
jpmanibusan
100%
0%
jpmanibusan,
User Rank: Apprentice
4/19/2015 | 12:49:00 PM
Academic Research Papers on pDNS, DGA, NXDOMAIN
Hi Dave- Nice article on a topic that continues to be largely overlooked.

For anyone looking for additional reading along these lines, check out Damballa's DGA archive here https://www.damballa.com/tag/dga/

The collaborative efforts of Damballa and Georgia Tech Applied Mathematics Ph.D researchers have been well documented over the years, and frequently presented at major security research conferences (e.g. USENIX). The academic research papers can be found online by searching for their project names: Notos, Pleiades, and ExecScent, among them.

Cheers, JP


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37457
PUBLISHED: 2021-07-25
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the SipRule field (stored).
CVE-2021-37458
PUBLISHED: 2021-07-25
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the primary phone field (stored).
CVE-2021-37459
PUBLISHED: 2021-07-25
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the customer name field (stored).
CVE-2021-37460
PUBLISHED: 2021-07-25
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /planprop?id= (reflected).
CVE-2021-37461
PUBLISHED: 2021-07-25
Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /extensionsinstruction?id= (reflected).