Home page logo

educause logo Educause Security Discussion mailing list archives

Re: capturing full URL information via DNS request logs
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 9 Oct 2013 17:32:25 -0400

Hash: SHA1

On Wed, Oct 09, 2013 at 08:03:02PM +0000, Youngquist, Jason R. wrote:

us in order to get this information.  Instead of getting an IP address
that points to Akamai (ie. this is want is captured via netflow), one
person suggested that it was relatively easy to capture the original
content that the user was downloading.  Ie. in the original DNS
request the URL information would be included in the packet info.  

As others have pointed out, that's not quite right. You can get the
domain name but not the URL. Unless you're grabbing passive DNS then you
won't be able to match domain lookups with corresponding destination IP

Are people using DNS logs to capture this type of URL traffic?  If so,
does it provide the full URL, or just the DNS host name?  DNS host
name would be useful, but full URL would be even better.

Using SecurityOnion to pull DNS information with Bro + ELSA:


Doing something similar with Bro + ELSA (Ubuntu 12 LTS, not SecurityOnion):


You can substitute Splunk or whatever logging solution you use for ELSA,
if it speaks syslog then it's trivial to get your bro logs there.

You can do some similar things with the suricata logs but I MUCH prefer
bro for that since you get passive DNS and an equivalent to netflow
out-of-the-box. It's not the best for visualisation but it's *awesome*
for network forensics.


Version: GnuPG v1.4.10 (GNU/Linux)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]