[RPZ] Logging analysis and consolidation (part II)

Alan Doherty dnsrpz at alandoherty.net
Fri Feb 17 20:41:53 UTC 2012

still points to a user who would/could have either browsed to or been caught by malware if uncaught by the system
(just going o a site not on the list that links to a site on the list, its still a user on a malicious/hacked site)

also pre-fetching shouldnt ever be cross domain, or go further than the robots.txt on the trap-sign that should tell it to pre-fetch no more
(which could be logged seperatly)

if any browser does ignore robots.txt on pre-fetching it would have long ago shown on one of my bot-traps radar
(bluecoat web proxy being the only (now fixed) case thus far)

At 17:43 17/02/2012  Friday, Eric Ziegast wrote:
>Consider in your analysis that some browsers might do pre-fetching
>which might yield false positives on either the DNS or HTTP download
>side.  Just a thought.
>On 2/17/12 9:24 AM, Hugo Maxwell Connery wrote:
>> * all RPZ responses from DNS resolvers are logged and shipped to a database
>> * all visits to the walled garden are logged and shipped to the same database
>> * the analysis web site allows querying of the raw data (DNS or Walled Garden), 
>>   or the more interesting correlated data (DNS log + Walled Garden log --> person 
>>   visiting nasty sites, or DNS with *no* corresponding Walled Garden log --> probable 
>>   malware activity).
>dnsrpz-interest mailing list
>dnsrpz-interest at lists.isc.org

More information about the DNSfirewalls mailing list