Educause Security Discussion
mailing list archives
Re: capturing full URL information via DNS request logs
From: "Youngquist, Jason R." <jryoungquist () CCIS EDU>
Date: Thu, 10 Oct 2013 16:24:30 +0000
Thanks all for your feedback. I believe I have been going down the right path all along, just haven't had time to
devote to this project.
I am currently working with Bro. That's how I told my CIO we could get URL information. I had a Bro test instance
installed on a server for a couple weeks and then the hard drive crashed on it. Currently rebuilding the server and
hope to get Bro back up and running so I can make tweaks to get the URL info sent to my SIEM/log collector for analysis
and or package it into a netflow record that my netflow collector can read.
I have used nprobe and it will capture URL information and put it into a netflow record.
The problem is the URL information is not displayed in my current netflow collector. We have Lancope's StealthWatch
Xe, (BTW, I am a big fan of
them) and were sending stuff from nprobe (before my box crashed) but StealthWatch doesn't know how to display the URL
information, because it's not in their table schema. I've been telling Lancope they should add integration with nprobe
into their product, but they have a competing product called a "flow sensor" which takes a spanned/mirrored port just
like nprobe and converts it into layer 7 netflow. I'd like to save the college money, so I'd rather have nprobe
integration with StealthWatch as a new feature from them for free rather than purchasing their "flow sensor" product.
One could also potentially craft a netflow record via Bro (this was the idea I was thinking about using since nprobe
doesn't work) and was going to contact the Lancope folks about my idea to try to get a table schema so I could map the
URL field to one of their table fields.
I know that it is on their radar, but they have other more high priority items they are working on right now. Maybe
existing Lancope customers could put a "big in their Lancope sales guy ear" and let them know we would like to see this
nprobe integration in future releases?
The cool thing about nprobe...it's free for educational institutions. You don't have to pay a penny. Everyone should
be using it. I've been in contact with the developer of nprobe and she has been quite helpful in helping me get the
product up and running in my environment. (can be used on both Windows/Linux)
If you do contact Lancope, please make sure to let me know. They are quite user focused and are having their first
users conference here the end of the month in October. Maybe create a buzz about this idea at the conference so it can
be bumped up in priority?
Jason Youngquist, CISSP, CISA
Information Security Engineer
Columbia College - Technology Services
1001 Rogers Street, Columbia, MO 65216
jryoungquist () ccis edu