Suspicious DNS

elopezsa edited this page Sep 21, 2016 · 2 revisions

Purpose and Audience

This section contains a walk-through of the Suspicious DNS Web Page. The intended audience is Security Analysts responsible for reviewing the results for potential threats.

###Walk-through 1. Open the analyst view for Suspicious DNS: http://"server-ip":8889/files/ui/dns/suspicious.html. Select the date that you want to review (defaults to current date). Your screen should now look like this:

2. The Suspicious frame

Located at the top left of the Web page, this frame shows the top 250 suspicious DNS from the Machine Learning (ML) output.

  1. By moving the mouse over a suspicious DNS, you will highlight the entire row as well as a blur effect that allows you to quickly identify current connection within the Network View frame.
  2. Shield icon. Represents the output for any Reputation Services results that has been enabled, user can mouse over in order to obtain additional information. The icon will change its color depending upon the results from specific reputation services.
  3. By selecting on a Suspicious DNS record, you will highlight current row as well as the node from Network View frame. In addition Details frame will be populated with additional communications directed to the same DNS record.

3. The Network View frame

Located at the top right corner, Network View is a graphic representation of the "Suspicious DNS".

  1. As soon as you move your mouse over a node, a dialog shows up providing additional information.
  2. Diamonds represents DNS records and circles represents IP addresses communicating to the respective DNS record
  3. A primary mouse click in an IP Address (circle) will bring a diagram within Details frame, providing all the Domain Name records queried by that particular IP Address
  4. A secondary mouse click uses the node information to filter suspicious data.

4. The Details frame

Located at the bottom right corner of the Web page. It provides additional information for the selected connection.

Detail View frame has two modes:

  • Table details (when you select a record in the Suspicious frame).
  • Dendrogram diagram (when you select an IP address in the Network View frame)

5. The Notebook frame

This frame contains an initialized Jupyter Notebook. The main function is to allow the Analyst to score IP Addresses and DNS records with different values. In order to assign a risk to a specific connection, select it using a combination of all the combo boxes, select the correct risk rating (1=High risk, 2 = Medium/Potential risk, 3 = Low/Accepted risk) and click Score button. Selecting a value from each list will narrow down the coincidences, therefore if the analyst wishes to score all connections with one same relevant attribute (i.e. ip address, then select only the combo boxes that are relevant and leave the rest at the first row at the top.

####The Score button Pressing the 'Score' button will find all exact matches of the selected threat (Client IP or Query) in the dns_scores.csv file and update them with the selected rating value. These results are temporarily stored in the score_tmp.csv file and copied back to the dns_scores.csv file at the end of the process.
Selecting values from both the "Client IP" and "Query" lists to score them together, will update every matching threat individually with the same rating value, but not necessarily as a Client_IP-Query pair.

You can score a large set of similar or coincident queries by entering a keyword in the "Quick Scoring" text field and then select a severity value from the radiobutton list. The value entered here will only search for matches on the dns_qry_name name column. "Quick Scoring" text field has precedence over any selection made on the lists.

####The Save button Analysts must use the Save button in order to store the scored records. After you click it, the rest of the frames in the page will be refreshed and the connections that you already scored will disappear on the suspicious connects page. A shell script will be executed to copy the file with the scored connections to the ML Node and specific path. The following values will be obtained from the .conf file:


For this process to work correctly, it's important to create an ssh key to enable secure communication between nodes, in this case, the ML node and the node where the UI runs. To learn more on how to create and copy the ssh key, please refer to the "Configure User Accounts" section.

Input files

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.