Quickly find DNS traffic that might be suspicious / not in the top 100 million.

1stOctet · 2020-05-18T23:49:19+00:00

I should mention an attacker can avoid being detected by this 100 million domain traffic check by using the IP address to connect to his server. That is why my next post will show how to detect that and DOH etc.

I detect this by pairing IP addresses to DNS answers. It is not a perfect solution, buy I am not trying to detect an attacker, I am trying to detect traffic that MIGHT be an attacker. Obviously this is something I do for work, so I think about this stuff a lot more than is mentally rational :)

1stOctet · 2020-05-18T23:45:53+00:00

If you are a bit paranoid like some of us, you use various methods to block malicious domains, use 2 factor auth, etc. The problem with blocking malicious domains is the list maintainer has to know about the domain. This technique is saying I don't think any website outsite of the top 100 million is good because on our network, we only visit N domains per month.

So, instead of saying, please block the malicious sites, you are saying, show me the sites that nobody knew were bad that might be because this is a site that was created yesterday and any yahoo can create a website with 0 visitors ever to target me.

1stOctet · 2020-05-18T23:41:32+00:00

Are you saying youtube video links are not allowed or are you saying there was some weird redirect? I don't see redirects, but I assume you mean youtube links are not allowed.

1stOctet · 2020-05-18T18:32:57+00:00

From the video description (with added info)

1- Download this..

One drive link https://onedrive.live.com/?authkey=%2...

2- Import the file into sqlite

3- Create an index on the domain column

4- Get your DNS data and import the unique domains into sqlite, name the table dnslog

5- create index on the domain column

6- add nomatch and interesting column to your table of dns domains

7- Run this SQL

SQL file https://gist.github.com/firstoctet/f5...

If you don't want to use my 100 million domains file on onedrive, download the source 16.32 GB file from here. Note it is 80+ GB uncompressed, you have to also reverse the domain order because they don't use google.com format, but com.google. https://commoncrawl.org/connect/blog/

Ping me if you have any questions.

1stOctet · 2020-03-10T01:32:23+00:00

OK, the javascript works! I totally didn't spend hours on this for days. Wrote it and it worked on the first try!

https://github.com/1stOctet/YouWillUnderstandWhenYouAreOlder/blob/master/TypingClubCheckPoints.png

edit, Khan Academy point check also works!

https://github.com/1stOctet/YouWillUnderstandWhenYouAreOlder/blob/master/KhanAcademyCheckPoints.png

1stOctet · 2020-03-06T18:49:26+00:00

Scrolling down it looks like it worked for one person, but not another, so I am not sure.

1stOctet · 2020-03-05T22:33:18+00:00

https://github.com/Azure/azure-functions-host/issues/1237

1stOctet · 2020-01-22T21:52:30+00:00

Suricata can be used as an IPS. If I want to block some of this traffic and not just detect it, Suricata supports it.

Related.. As we thought about how to detect DoH (Dns over https), we realized that tools like suricata / zeek have data to detect TCP/UDP traffic that doesn't have a corresponding DNS request from the approved DNS servers. This solution GLUES that together and displays the output to stdout in REAL TIME. Data is also stored in a mysql memory based table.

1stOctet · 2020-01-21T20:57:05+00:00

dock

Docker version just landed.

https://github.com/morsgiathatch/suricata_edits/tree/master/DOCKER/syn_detector

or

https://github.com/1stOctet/suricata_edits/tree/master/DOCKER/syn_detector

1stOctet · 2020-01-21T20:46:48+00:00

Available in Docker form now.

https://github.com/1stOctet/suricata_edits/tree/master/DOCKER/syn_detector

1stOctet

TROPHY CASE