Sometimes we need to pinpoint for details of suspicious DNS query alerts from IDS such as snort. tcpdump and tshark are necessary tools for packaet analysis.
# tcpdump -vvv -s 0 -l -n port 53 | grep suspicious.dns.url
# tcpdump -f 'dst host suspicious.ip'
# grep suspicious.dhcp.client /var/log/messages
=> then you can get the computer name as well as physical address of the source.
REF: https://jontai.me/blog/2011/11/monitoring-dns-queries-with-tcpdump/
沒有留言:
張貼留言