{"id":8157,"date":"2012-11-08T21:26:35","date_gmt":"2012-11-09T03:26:35","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=8157"},"modified":"2012-11-08T21:26:35","modified_gmt":"2012-11-09T03:26:35","slug":"persistent-threat-detection-on-a-budget","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=8157","title":{"rendered":"Persistent Threat Detection on a Budget"},"content":{"rendered":"<blockquote><p>It\u2019s staggering to me how few security teams have gotten wise to regularly interrogating the logs from their recursive DNS servers. In many ways DNS logging can be considered sprinkling flour on the floor to track the footsteps of the culprit who\u2019s been raiding the family fridge. Each step leaves a visible impression of where and how the intruder navigated the kitchen, and their shoe size.<\/p><\/blockquote>\n<p>via <a href=\"https:\/\/blog.damballa.com\/archives\/1834\">Persistent Threat Detection on a Budget \u00ab Damballa<\/a>.<\/p>\n<p>To turn on logging in bind use:<\/p>\n<p><code># rndc querylog<\/code><\/p>\n<p>This puts all DNS queries into \/var\/log\/messages.\u00a0 Just grep for <code>named<\/code> and pipe that into some custom perl script or whatever to run against a blacklist.<\/p>\n<p><code># grep named \/var\/log\/messages\u00a0 |\u00a0 run_my_blacklist_script.pl<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>It\u2019s staggering to me how few security teams have gotten wise to regularly interrogating the logs from their recursive DNS servers. In many ways DNS logging can be considered sprinkling flour on the floor to track the footsteps of the &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=8157\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[110],"tags":[136,339,101],"class_list":["post-8157","post","type-post","status-publish","format-standard","hentry","category-networking","tag-dns","tag-network-intrusion","tag-security"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/8157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8157"}],"version-history":[{"count":7,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/8157\/revisions"}],"predecessor-version":[{"id":8164,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/8157\/revisions\/8164"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8157"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}