[RPZ] Logging analysis and consolidation

Hugo Maxwell Connery hmco at env.dtu.dk
Sat Jan 7 16:32:43 UTC 2012


I am fairly new to bind, so please excuse any obvious lack of knowledge.

I have *easily* set up bind 9.8.1 and RPZ with a local zone and a slave from
rpz.spamhaus.org.  Thus, my thanks to all for the documentation that is 
out there.

My desired implementation is a walled garden.  Its up, and it works.

However, I wish to receive, for example, a mail once per week telling
two things:

- these hosts are repeatly asking for blocked sites (DNS log parsing); and
- these hosts are repeatedly visiting the walled garden

The first would seem to indicate a system compromised by malware
that is using the local resolver.

The second would seem to indicate a person who likes clicking on links
in spam.

These two logs (DNS and WWW) need correlation to produce a better 
picture of separating user action from malware action.

My questions are (for example, parsing Bind and Apache logs):

- does this log parsing software exist
- if not, do others see this as valuable

If am happy to devote time to assist in the construction of the combined
log parsing facility if that is seen as valuable.

Thanks to ISC and the content distributors.

Regards,  Hugo

More information about the DNSfirewalls mailing list