

Show HN: Detecting malware through DNS queries – a Kali Pi / Snort project - dnlongen
http://dnlongen.blogspot.com/2015/01/detecting-malware-through-dns-queries.html

======
dnlongen
There are a couple of shortcomings in the current approach. I'd welcome
suggestions for how to improve this. The problems I see are:

1\. The alert tells me the IP address of the offending computer or device, but
not the domain name that was requested. I have Snort configured to store each
packet that triggered an alert, and can use tcpdump to analyse the packets -
but that's a bit of a pain. Do any readers know of a way to include payload
fields from a DNS packet in the alert message?

2\. I've identified 4 specific "warning page" DNS responses, but OpenDNS owns
far more addresses that they may use for other conditions now or in the
future. At a minimum, OpenDNS owns the ranges 67.215.64.0/19 and
204.194.232.0/21 -- all told, about 10,000 addresses. Snort supports matching
IP ranges in CIDR notation for the source and destination, but my approach
currently does a binary match in the payload. Do any readers have an example
of a Snort rule that parses DNS packets into their component fields?

------
dnlongen
Port-mirroring would work for any traffic that traversed the smart switch ...
I actually tried that at one point, but it's somewhat limited:

> If the smart switch is on the LAN side of the router, then I only see
> traffic from wired devices on the LAN and miss anything from wireless
> clients.

> If the smart switch is on the WAN side of the router, then I see any traffic
> destined for the Internet, but now the Pi has to account for NAT (everything
> coming back from DNS has a destination of my router's WAN interface).

------
micro-ram
Interesting approach comparing 2 DNS lookups. What about port mirroring the
upstream router connection from a smart switch? Would it overload the Pi? Then
it would be a simple plug and play device you could connect to any lan (with
mirroring) for a check-up.

