[RPZ] Logging analysis and consolidation (part II)
Hugo Maxwell Connery
hmco at env.dtu.dk
Fri Feb 17 17:24:06 UTC 2012
Since my question about a tool for using RPZ as a security analysis tool
back in January, I have put together the basics that I wished for. It is very
much still an alpha product, but delivers the core of the data I wished to
See the attached one page graphic for a picture of what is happening.
* all RPZ responses from DNS resolvers are logged and shipped to a database
* all visits to the walled garden are logged and shipped to the same database
* the analysis web site allows querying of the raw data (DNS or Walled Garden),
or the more interesting correlated data (DNS log + Walled Garden log --> person
visiting nasty sites, or DNS with *no* corresponding Walled Garden log --> probable
Raw data is viewable as plain raw, or in aggregated form (total number of 'hits' by
each unique host in a period showing IP address, hostname, queried domain
and the total). Consolidated data is always aggregated.
The log scrapers for BIND 9.8.1 and Apache 2 are built, as is the web-site which
provides access to the data. Runs well on any Linux distro. A few small changes
will enable any OS that supports Perl and/or Postgres.
If anyone is interested in this, please contact me. I am particularly interested
in finding out other peoples wishes for types of data queries, and other manners
in which the mechanism(s) can be improved.
Immediate plans are:
* finalise initial functionality, documentation and installation instructions
* implementation in my networks
* publish tools at an open source hosting environment (probably github.com)
* establishment of an example site with sanitised data
(estimate completion time 4 weeks).
I hope that there are others interested in the use of RPZ as a security analysis tool.
Any interested person's input towards this effort would be gladly appreciated.
If I am misusing this mailing list, please let me know and I will gladly cease and desist.
Hugo Connery, Head of IT, DTU Environment
PS: Here is the type of data that one sees for a DNS + Walled Garden query.
date_trunc count client_ip client_hostname query_domain
2012-02-06 00:00:00 6 126.96.36.199 host3.org 4.nasty.com
2012-02-06 00:00:00 4 188.8.131.52 host1.org 1.nasty.com
2012-02-06 00:00:00 2 184.108.40.206 host2.org 2.nasty.com
2012-02-06 00:00:00 2 220.127.116.11 host2.org 3.nasty.com
PPS: A recent detailed report into the mechanisms behind the RSA attacks last year (and some other
similar attacks) makes recommendations regarding the configuration of local DNS
resolvers that seem relevant to RPZ (and the tool being developed). The report can
be viewed at:
http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf (PDF 600 KB)
(I have no association with the security company that published the report).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pictorial Overview.odg
Size: 14571 bytes
Desc: Pictorial Overview.odg
More information about the DNSfirewalls