10.4 Domain Stats and Frequency Server
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
3 hours 10 minutes
now the next two items will discuss are built in two security onion, and they just need to be turned on to be functional.
The first is domain stats. How Domain Stats is a python script that checks on domain age and whether or not a domain is in the Alexa Top one million domains, which is a list that was put together by Amazon.
Now the value to using domain stats is that traffic to newly registered domains could be suspicious as bad actors will frequently spend up a domain for a campaign and then abandoned at once, have been blacklisted.
Now I have seen successful gift cards. Phishing scams come from newly registered domains where the victim lost around $15,000 to the scammer.
It's definitely something worth paying attention to
now. To use domain stats, you'll need to make sure that it is turned on by default. And it's disabled when choosing best practices on the production set up. But it's easy enough to turn back on if you read the documentation
now, you'll also need to make sure that the who is look ups can be performed outbound outbound on Port 43
if it is blocks by your firewall, then should work with the appropriate teams to get it enabled.
It's a frequency server is another Python script that is built into security onion. This one is checking for randomness, using NLP techniques on a variety of traffic types, including D. N s file name, script names, T L s names, et cetera.
The randomness in certain fields can be indicative of malware. See to communications et cetera.
Now, if I were to see traffic going to G y x d r e k dot press, I would be much more interested in looking into that traffic than if I saw traffic going to something dot com.
Now Frequency Server is free is similar to domain stats in that it is disabled by default. When configuring your server with best practices
to learn howto turn it back on, take a look at the documentation links here. The process is pretty straightforward
now, in this lesson we covered was ah de NS and ICMP anomaly detection, as well as the domain and Frequency Server Stats. A scripts. In the next lesson, we will wrap up the course CNN chairs