Educause Security Discussion
mailing list archives
Re: capturing full URL information via DNS request logs
From: Will Froning <will.froning () GMAIL COM>
Date: Thu, 10 Oct 2013 00:52:57 +0400
As others have mentioned, DNS analysis isn't the right tool for this. I'm running Security Onion for this sort of
thing. Bro + ELSA is great at this.
Having said that, make sure you aren't breaking the rules by grabbing this level of detail.
Will.Froning () GMail com
On Oct 10, 2013, at 12:03 AM, "Youngquist, Jason R." <jryoungquist () ccis edu> wrote:
Currently we have a network monitoring device using netflow. One problem we are having with this device is it
doesn't give us URL information. There are a few other methods that were recommended to us in order to get this
information. Instead of getting an IP address that points to Akamai (ie. this is want is captured via netflow), one
person suggested that it was relatively easy to capture the original content that the user was downloading. Ie. in
the original DNS request the URL information would be included in the packet info. Are people using DNS logs to
capture this type of URL traffic? If so, does it provide the full URL, or just the DNS host name? DNS host name
would be useful, but full URL would be even better.
Appreciate any insights you may have.
Jason Youngquist, CISSP, CISA
Information Security Engineer
Columbia College - Technology Services
1001 Rogers Street, Columbia, MO 65216
jryoungquist () ccis edu