[RPZ] Logging analysis and consolidation
Hugo Maxwell Connery
hmco at env.dtu.dk
Sat Jan 7 16:32:43 UTC 2012
Hi,
I am fairly new to bind, so please excuse any obvious lack of knowledge.
I have *easily* set up bind 9.8.1 and RPZ with a local zone and a slave from
rpz.spamhaus.org. Thus, my thanks to all for the documentation that is
out there.
My desired implementation is a walled garden. Its up, and it works.
However, I wish to receive, for example, a mail once per week telling
two things:
- these hosts are repeatly asking for blocked sites (DNS log parsing); and
- these hosts are repeatedly visiting the walled garden
The first would seem to indicate a system compromised by malware
that is using the local resolver.
The second would seem to indicate a person who likes clicking on links
in spam.
These two logs (DNS and WWW) need correlation to produce a better
picture of separating user action from malware action.
My questions are (for example, parsing Bind and Apache logs):
- does this log parsing software exist
- if not, do others see this as valuable
If am happy to devote time to assist in the construction of the combined
log parsing facility if that is seen as valuable.
Thanks to ISC and the content distributors.
Regards, Hugo
More information about the DNSfirewalls
mailing list