Feature #121
openAlert on domain name look up, capture traffic for corresponding IP
Description
It'd be handy to have the ability to capture traffic involving an IP address found in DNS responses for a known bad domain. As far as I know, no other IDS product does this.
As an example, say I have an IDS sensor at my border router. A workstation on my network looks up badguy.com, and receives a DNS response for address 4.5.6.7.
As I know badguy.com is a botnet command and control host, and that any communication with 4.5.6.7 will therefore be of security interest, I want to have all traffic involving that IP address recorded (possibly for x minutes after the DNS request or until the IP in the DNS response changes) to see what data has gone out to that command and control host, especially if it contains data that will help me quickly identify the infected workstation, that I can use to find the infected box and clean it up.