Educause Security Discussion mailing list archives
Re: capturing full URL information via DNS request logs
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 9 Oct 2013 17:32:25 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Oct 09, 2013 at 08:03:02PM +0000, Youngquist, Jason R. wrote:
us in order to get this information. Instead of getting an IP address that points to Akamai (ie. this is want is captured via netflow), one person suggested that it was relatively easy to capture the original content that the user was downloading. Ie. in the original DNS request the URL information would be included in the packet info.
As others have pointed out, that's not quite right. You can get the domain name but not the URL. Unless you're grabbing passive DNS then you won't be able to match domain lookups with corresponding destination IP addresses.
Are people using DNS logs to capture this type of URL traffic? If so, does it provide the full URL, or just the DNS host name? DNS host name would be useful, but full URL would be even better.
Using SecurityOnion to pull DNS information with Bro + ELSA: https://www.youtube.com/watch?v=33HZyIxbg6c Doing something similar with Bro + ELSA (Ubuntu 12 LTS, not SecurityOnion): http://opensecgeek.blogspot.com/2013/02/nsm-with-bro-ids-part-4-bro-and-elsa.html You can substitute Splunk or whatever logging solution you use for ELSA, if it speaks syslog then it's trivial to get your bro logs there. You can do some similar things with the suricata logs but I MUCH prefer bro for that since you get passive DNS and an equivalent to netflow out-of-the-box. It's not the best for visualisation but it's *awesome* for network forensics. kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlJVy2gACgkQsKMTOtQ3fKFY3gCdGZC7b4qygEJ77nkh2IhmWEcQ sDIAoIFvr0/7mB9iMowkmtOKJB0/ZsWu =gP6m -----END PGP SIGNATURE-----
Current thread:
- capturing full URL information via DNS request logs Youngquist, Jason R. (Oct 09)
- Re: capturing full URL information via DNS request logs Harry Hoffman (Oct 09)
- Re: capturing full URL information via DNS request logs Shettler, David (Oct 09)
- Re: capturing full URL information via DNS request logs Roger A Safian (Oct 09)
- Re: capturing full URL information via DNS request logs Rich Graves (Oct 09)
- Re: capturing full URL information via DNS request logs Ian McDonald (Oct 09)
- Re: capturing full URL information via DNS request logs Will Froning (Oct 09)
- Re: capturing full URL information via DNS request logs Justin Azoff (Oct 09)
- Re: capturing full URL information via DNS request logs Kevin Wilcox (Oct 09)
- Re: capturing full URL information via DNS request logs Dave Koontz (Oct 09)
- Re: capturing full URL information via DNS request logs John Ladwig (Oct 09)
- Re: capturing full URL information via DNS request logs Philip Webster (Oct 09)
- Re: capturing full URL information via DNS request logs Youngquist, Jason R. (Oct 10)
- Re: capturing full URL information via DNS request logs John Ladwig (Oct 10)
- Re: capturing full URL information via DNS request logs John Ladwig (Oct 09)
- <Possible follow-ups>
- Re: capturing full URL information via DNS request logs Harry Hoffman (Oct 09)