Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: capturing full URL information via DNS request logs
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 9 Oct 2013 17:32:25 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Oct 09, 2013 at 08:03:02PM +0000, Youngquist, Jason R. wrote:

us in order to get this information.  Instead of getting an IP address
that points to Akamai (ie. this is want is captured via netflow), one
person suggested that it was relatively easy to capture the original
content that the user was downloading.  Ie. in the original DNS
request the URL information would be included in the packet info.  

As others have pointed out, that's not quite right. You can get the
domain name but not the URL. Unless you're grabbing passive DNS then you
won't be able to match domain lookups with corresponding destination IP
addresses.

Are people using DNS logs to capture this type of URL traffic?  If so,
does it provide the full URL, or just the DNS host name?  DNS host
name would be useful, but full URL would be even better.

Using SecurityOnion to pull DNS information with Bro + ELSA:

https://www.youtube.com/watch?v=33HZyIxbg6c

Doing something similar with Bro + ELSA (Ubuntu 12 LTS, not SecurityOnion):

http://opensecgeek.blogspot.com/2013/02/nsm-with-bro-ids-part-4-bro-and-elsa.html

You can substitute Splunk or whatever logging solution you use for ELSA,
if it speaks syslog then it's trivial to get your bro logs there.

You can do some similar things with the suricata logs but I MUCH prefer
bro for that since you get passive DNS and an equivalent to netflow
out-of-the-box. It's not the best for visualisation but it's *awesome*
for network forensics.

kmw

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlJVy2gACgkQsKMTOtQ3fKFY3gCdGZC7b4qygEJ77nkh2IhmWEcQ
sDIAoIFvr0/7mB9iMowkmtOKJB0/ZsWu
=gP6m
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault