Feature #121
openAlert on domain name look up, capture traffic for corresponding IP
Description
It'd be handy to have the ability to capture traffic involving an IP address found in DNS responses for a known bad domain. As far as I know, no other IDS product does this.
As an example, say I have an IDS sensor at my border router. A workstation on my network looks up badguy.com, and receives a DNS response for address 4.5.6.7.
As I know badguy.com is a botnet command and control host, and that any communication with 4.5.6.7 will therefore be of security interest, I want to have all traffic involving that IP address recorded (possibly for x minutes after the DNS request or until the IP in the DNS response changes) to see what data has gone out to that command and control host, especially if it contains data that will help me quickly identify the infected workstation, that I can use to find the infected box and clean it up.
Updated by Victor Julien over 12 years ago
- Target version set to TBD
I guess such a thing would start with a DNS protocol decoder.
Updated by Andreas Moe over 9 years ago
Dont we do DNS protocol decoding? seeing that we can log DNS activity? Or is this more of a scenario where we could write "alert dns..."
Updated by Victor Julien over 6 years ago
- Effort set to medium
- Difficulty set to medium
Updated by Victor Julien almost 4 years ago
- Related to Feature #1005: conditional logging: controlling what gets logged added
Updated by Philippe Antoine over 1 year ago
I wonder if it is now possible :
One rule matches the DNS resolution to the domain, adds the ip address into a dataset
Another rule uses this dataset to trigger an alert and does conditional pcap logging