There is a new module in Ourmon, Topn DNS that shows the DNS traffic statistic. It comes with a DNS blacklist feature that needs to be configured. What I am going to show here are how to configure it (which is quite easy), and automate the update by using simple scripting with Shell, Perl.
First of all, this is the how to for DNS blacklist configuration:
The dns_include file config line allows a DNS name based blacklist to be configured into the ourmon probe. Any number of files may be given. The format of individual entries in the DNS blacklist is as follows:
One entry should be given per line.
DNS query responses are unwrapped and if the question is found to match the DNS name in the blacklist, an ourmon event log message is generated.
That means, we need to create a blacklist file with the format above, and a list of black listed domains.
There is a project called DNS-BH, they create and maintain a listing of domains that are known to be used to propagate malware and spyware. So, with the free malware domains list, we are able to create a list and include it to the DNS blacklist.
I have created 2 scripts, 1 Perl script (domain-filter.pl) to grab the domains from the malware domains list and write them to a new file with format that Ourmon accepts, for example:
From guti.my unknown guti.my/ourmon-dns-blacklist 2008apr to guti.my A
and 1 Shell (getbldns.sh) script to process the update, so that I am able to set it as cron job.
For those who are interested to try it out, you may download it at http://www.gutizz.com/scripts/ourmon-dns-blacklist.bz2.
There is a Readme file included the package as well. You need to edit the path of dns_include, and the path in the getbldns.sh shell script if your installation is in different directory.
This is the sample of the event log after blacklist has been configured, so you need to check why there were DNS requests to malware domains from these servers. (Click to enlarge the image.)
There are 2 blacklist features in Ourmon as well, which are IRC blacklist and IP blacklist. Ourmon team has the IRC blacklist script written and put them in Ourmon src/scripts/, and I am still working on IP Blacklist which will fetch the black list IP from Harimau watchlist, the main problem is the support of netblock in the Ourmon IP Blacklist, which I will consider to remove those netblock addresses.
If you concern on the CPU and memory usage, here is the resource usage of Ourmon, with 20290 domains in DNS blacklist, and list of IP from EmergingThreat botcc rules in IRC blacklist loaded, and over 10k/s packets at peaks.
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 59799 root 1 -58 0 48552K 28348K bpf 4 3:44 2.49% ourmon
If you have any other recommendation on DNS blacklist, please let me know.