logisland icon indicating copy to clipboard operation
logisland copied to clipboard

Published 20 hours ago verified publisher icon Hurence

detect DNS tunneling processor

Open oalam opened this issue 7 years ago • 1 comments

https://www.sans.org/reading-room/whitepapers/malicious/splunk-detect-dns-tunneling-37022

DNS tunneling is a method to bypass security controls and exfiltrate data from a targeted organization. Choose any endpoint on your organization’s network, using nslookup, perform an A record lookup for www.sans.org. If it resolves with the site’s IP address, that endpoint is susceptible to DNS Tunneling. Logging DNS transactions from different sources such as network taps and the DNS servers themselves can generate large volumes of data to investigate. Using Splunk can help ingest the large volume of log data and mine the information to determine what malicious actors may be using DNS tunneling techniques on the target organizations network. This paper will guide the reader in building a lab network to test and understand different DNS tunneling tools. Then use Splunk and Splunk Stream to collect the data and detect the DNS tunneling techniques. The reader will be able apply to what they learn to any enterprise network.

oalam avatar Jan 23 '17 14:01 oalam

https://github.com/elastic/examples/tree/master/Security%20Analytics/dns_tunnel_detection

mathieu-rossignol avatar Dec 14 '17 16:12 mathieu-rossignol