[ARGUS] Matching DNS Names

Carter Bullard carter at qosient.com
Tue May 11 15:51:09 EDT 2004


Hey Eric,
   The code should create a filter looking for any of the
addresses returned by a gethostbyname() call.   Use the '-b'
option to dump out the filter that is generated.

   So I tried kooky.res.example.edu, but alas, 'unknown host'

Carter


-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
eric-list-argus at catastrophe.net
Sent: Tuesday, May 11, 2004 2:59 PM
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Matching DNS Names

My next question for the day... :)

Let's say we're looking for traffic to kooky.res.example.edu.

Kooky is an IRC controlled for a botnet of 10,000 machines. It's not
exactly doing nice things. However, being crafty folks, the kiddiez
that setup this machine also setup 10 other machines throughout the
Internet as well. So when we lookup kooky.example.org, 11 IP
addresses are returned.

This gets to be difficult to deal with using ra* tools. Will ra*
tools resolve kooky.example.org and look for all 11 IP addresses
returned, or must we manually lookup the addresses and use that
information?

If the later, has anyone modified the tools to match all returned
records for the dns name? I'm thinking this would be rather easy to
implement and some magic could be done as well. OpenBSD's packet
filter does some expansion so the code might be taken from it.

Thanks;

- Eric






More information about the argus mailing list