[RPZ] Logging analysis and consolidation (part II)
Alan Doherty
dnsrpz at alandoherty.net
Fri Feb 17 20:41:53 UTC 2012
still points to a user who would/could have either browsed to or been caught by malware if uncaught by the system
(just going o a site not on the list that links to a site on the list, its still a user on a malicious/hacked site)
also pre-fetching shouldnt ever be cross domain, or go further than the robots.txt on the trap-sign that should tell it to pre-fetch no more
(which could be logged seperatly)
if any browser does ignore robots.txt on pre-fetching it would have long ago shown on one of my bot-traps radar
(bluecoat web proxy being the only (now fixed) case thus far)
At 17:43 17/02/2012 Friday, Eric Ziegast wrote:
>Consider in your analysis that some browsers might do pre-fetching
>which might yield false positives on either the DNS or HTTP download
>side. Just a thought.
>
>On 2/17/12 9:24 AM, Hugo Maxwell Connery wrote:
>> * all RPZ responses from DNS resolvers are logged and shipped to a database
>> * all visits to the walled garden are logged and shipped to the same database
>> * the analysis web site allows querying of the raw data (DNS or Walled Garden),
>> or the more interesting correlated data (DNS log + Walled Garden log --> person
>> visiting nasty sites, or DNS with *no* corresponding Walled Garden log --> probable
>> malware activity).
>_______________________________________________
>dnsrpz-interest mailing list
>dnsrpz-interest at lists.isc.org
>https://lists.isc.org/mailman/listinfo/dnsrpz-interest
More information about the DNSfirewalls
mailing list