[ARGUS] Matching DNS Names
eric-list-argus at catastrophe.net
eric-list-argus at catastrophe.net
Tue May 11 14:59:14 EDT 2004
My next question for the day... :)
Let's say we're looking for traffic to kooky.res.example.edu.
Kooky is an IRC controlled for a botnet of 10,000 machines. It's not
exactly doing nice things. However, being crafty folks, the kiddiez
that setup this machine also setup 10 other machines throughout the
Internet as well. So when we lookup kooky.example.org, 11 IP
addresses are returned.
This gets to be difficult to deal with using ra* tools. Will ra*
tools resolve kooky.example.org and look for all 11 IP addresses
returned, or must we manually lookup the addresses and use that
information?
If the later, has anyone modified the tools to match all returned
records for the dns name? I'm thinking this would be rather easy to
implement and some magic could be done as well. OpenBSD's packet
filter does some expansion so the code might be taken from it.
Thanks;
- Eric
More information about the argus
mailing list