Internet Storm Center
Sign In
Sign Up
Handler on Duty:
Didier Stevens
Threat Level:
green
Date
Author
Title
DNS LOGS
2021-09-11
Guy Bruneau
Shipping to Elasticsearch Microsoft DNS Logs
DNS
2024-09-25/a>
Johannes Ullrich
DNS Reflection Update and Odd Corrupted DNS Requests
2024-08-30/a>
Jesse La Grew
Simulating Traffic With Scapy
2024-08-20/a>
Guy Bruneau
Mapping Threats with DNSTwist and the Internet Storm Center [Guest Diary]
2024-05-06/a>
Johannes Ullrich
Detecting XFinity/Comcast DNS Spoofing
2024-01-31/a>
Johannes Ullrich
The Fun and Dangers of Top Level Domains (TLDs)
2023-11-07/a>
Johannes Ullrich
What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR)
2023-09-06/a>
Johannes Ullrich
Security Relevant DNS Records
2023-08-01/a>
Johannes Ullrich
Summary of DNS over HTTPS requests against our honeypots.
2023-02-15/a>
Rob VandenBrink
DNS Recon Redux - Zone Transfers (plus a time machine) for When You Can't do a Zone Transfer
2023-01-30/a>
Johannes Ullrich
Decoding DNS over HTTP(s) Requests
2023-01-23/a>
Xavier Mertens
Who's Resolving This Domain?
2022-08-31/a>
Johannes Ullrich
Underscores and DNS: The Privacy Story
2022-08-10/a>
Johannes Ullrich
And Here They Come Again: DNS Reflection Attacks
2022-04-29/a>
Rob VandenBrink
Using Passive DNS sources for Reconnaissance and Enumeration
2021-12-17/a>
Rob VandenBrink
DR Automation - Using Public DNS APIs
2021-10-04/a>
Johannes Ullrich
Facebook Outage: Yes, its DNS (sort of). A super quick analysis of what is going on.
2021-09-11/a>
Guy Bruneau
Shipping to Elasticsearch Microsoft DNS Logs
2021-07-31/a>
Guy Bruneau
Unsolicited DNS Queries
2021-06-19/a>
Xavier Mertens
Easy Access to the NIST RDS Database
2021-05-30/a>
Didier Stevens
Video: Cobalt Strike & DNS - Part 1
2021-05-20/a>
Johannes Ullrich
New YouTube Video Series: Everything you ever wanted to know about DNS and more!
2021-01-25/a>
Rob VandenBrink
Fun with NMAP NSE Scripts and DOH (DNS over HTTPS)
2021-01-15/a>
Guy Bruneau
Obfuscated DNS Queries
2020-12-16/a>
Daniel Wesemann
DNS Logs in Public Clouds
2020-12-08/a>
Johannes Ullrich
December 2020 Microsoft Patch Tuesday: Exchange, Sharepoint, Dynamics and DNS Spoofing
2020-10-30/a>
Xavier Mertens
Quick Status of the CAA DNS Record Adoption
2020-08-04/a>
Johannes Ullrich
Internet Choke Points: Concentration of Authoritative Name Servers
2020-07-16/a>
John Bambenek
Hunting for SigRed Exploitation
2020-07-15/a>
Johannes Ullrich
PATCH NOW - SIGRed - CVE-2020-1350 - Microsoft DNS Server Vulnerability
2019-12-29/a>
Guy Bruneau
ELK Dashboard for Pihole Logs
2019-12-07/a>
Guy Bruneau
Integrating Pi-hole Logs in ELK with Logstash
2019-11-25/a>
Xavier Mertens
My Little DoH Setup
2019-10-25/a>
Rob VandenBrink
More on DNS Archeology (with PowerShell)
2019-10-21/a>
Jim Clausing
What's up with TCP 853 (DNS over TLS)?
2019-07-17/a>
Xavier Mertens
Analyzis of DNS TXT Records
2019-07-13/a>
Guy Bruneau
Guidance to Protect DNS Against Hijacking & Scanning for Version.BIND Still a Thing
2019-07-09/a>
John Bambenek
Solving the WHOIS and Privacy Problem: A Draft of Implementing WHOIS in DNS
2019-06-16/a>
Didier Stevens
Sysmon Version 10: DNS Logging
2019-03-27/a>
Xavier Mertens
Running your Own Passive DNS Service
2019-01-31/a>
Xavier Mertens
Tracking Unexpected DNS Changes
2019-01-22/a>
Xavier Mertens
DNS Firewalling with MISP
2018-09-22/a>
Didier Stevens
Suspicious DNS Requests ... Issued by a Firewall
2018-02-25/a>
Guy Bruneau
Blackhole Advertising Sites with Pi-hole
2017-12-13/a>
Xavier Mertens
Tracking Newly Registered Domains
2017-11-16/a>
Xavier Mertens
Suspicious Domains Tracking Dashboard
2017-10-20/a>
Rick Wanner
One year Anniversary of Dyn DDOS
2017-10-02/a>
Xavier Mertens
Investigating Security Incidents with Passive DNS
2017-06-14/a>
Xavier Mertens
Systemd Could Fallback to Google DNS?
2017-04-20/a>
Xavier Mertens
DNS Query Length... Because Size Does Matter
2016-10-23/a>
Johannes Ullrich
ISC Briefing: Large DDoS Attack Against Dyn
2016-07-26/a>
Johannes Ullrich
Command and Control Channels Using "AAAA" DNS Records
2016-06-12/a>
Guy Bruneau
DNS Sinkhole ISO Version 2.0
2016-04-28/a>
Rob VandenBrink
DNS and DHCP Recon using Powershell
2015-11-22/a>
Guy Bruneau
OpenDNS Research Used to Predict Threat
2015-11-08/a>
Rick Wanner
DNS Reconnaissance using nmap
2015-08-19/a>
Bojan Zdrnja
Outsourcing critical infrastructure (such as DNS)
2015-02-19/a>
Daniel Wesemann
DNS-based DDoS
2014-06-02/a>
Rick Wanner
Using nmap to scan for DDOS reflectors
2014-05-20/a>
Johannes Ullrich
Detecting Queries to "odd" DNS Servers
2014-04-30/a>
Johannes Ullrich
Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic
2014-04-30/a>
Russ McRee
UltraDNS DDOS
2014-02-04/a>
Johannes Ullrich
Do you block "new" domain names?
2014-01-30/a>
Johannes Ullrich
New gTLDs appearing in the root zone
2013-12-21/a>
Guy Bruneau
Strange DNS Queries - Request for Packets
2013-11-19/a>
Jim Clausing
Updated dumpdns.pl
2013-11-04/a>
Manuel Humberto Santander Pelaez
When attackers use your DNS to check for the sites you are visiting
2013-10-21/a>
Johannes Ullrich
New tricks that may bring DNS spoofing back or: "Why you should enable DNSSEC even if it is a pain to do"
2013-10-17/a>
Adrien de Beaupre
Internet wide DNS scanning
2013-10-10/a>
Johannes Ullrich
google.com.my DNS hijack
2013-10-08/a>
Johannes Ullrich
CSAM: ANY queries used in reflective DoS attack
2013-10-02/a>
Johannes Ullrich
CSAM: Misc. DNS Logs
2013-09-26/a>
Johannes Ullrich
How do you monitor DNS?
2013-09-02/a>
Guy Bruneau
Snort IDS Sensor with Sguil New ISO Released
2013-08-14/a>
Johannes Ullrich
.GOV zones may not resolve due to DNSSEC problems.
2013-08-07/a>
Mark Hofman
DNS servers hijacked in the Netherlands
2013-07-17/a>
Johannes Ullrich
Network Solutions Outage
2013-07-12/a>
Johannes Ullrich
DNS resolution is failing for Microsofts Teredo server (teredo.ipv6.microsoft.com)
2013-07-10/a>
Johannes Ullrich
.NL Registrar Compromisse
2013-06-22/a>
Guy Bruneau
.biz DNSSEC DNSKEY is Invalid
2013-06-20/a>
Johannes Ullrich
Linkedin DNS Hijack
2013-06-05/a>
Richard Porter
BIND 9 Update fixing CVE-2013-3919
2012-12-14/a>
Johannes Ullrich
The "D-root" DNS server (terp.umd.edu) is changing its IP address in January http://seclists.org/nanog/2012/Dec/330
2012-12-06/a>
Daniel Wesemann
Comodo DNS hiccup on usertrust.com
2012-08-16/a>
Johannes Ullrich
A Poor Man's DNS Anomaly Detection Script
2012-07-24/a>
Richard Porter
Report of spike in DNS Queries gd21.net
2012-07-21/a>
Rick Wanner
TippingPoint DNS Version Request increase
2012-07-21/a>
Rick Wanner
OpenDNS is looking for a few good malware people!
2012-05-21/a>
Kevin Shortt
DNS ANY Request Cannon - Need More Packets
2012-05-16/a>
Johannes Ullrich
Got Packets? Odd duplicate DNS replies from 10.x IP Addresses
2012-03-30/a>
Daniel Wesemann
Tomorrow, the world will end
2012-02-23/a>
donald smith
DNS-Changer "clean DNS" extension requested
2012-02-20/a>
Rick Wanner
DNSChanger resolver shutdown deadline is March 8th
2012-02-09/a>
Richard Porter
DNS Ghost Domains, How I loath you so!
2012-01-21/a>
Guy Bruneau
DNS Sinkhole Scripts Fixes/Update
2012-01-18/a>
Johannes Ullrich
Use of Mixed Case DNS Queries
2012-01-13/a>
Guy Bruneau
Strange DNS Queries - Request Packets/Logs
2011-12-13/a>
Johannes Ullrich
Possible Widespread DNS Attack (info wanted)
2011-12-05/a>
Stephen Hall
ISC describe DNS crash bug analysis
2011-11-28/a>
Tom Liston
A Puzzlement...
2011-11-16/a>
Jason Lam
Potential 0-day on Bind 9
2011-11-11/a>
Rick Wanner
What's up with fbi.gov DNS?
2011-11-11/a>
Johannes Ullrich
Details About the fbi.gov DNSSEC Configuration Issue.
2011-11-09/a>
Russ McRee
Operation Ghost Click: FBI bags crime ring responsible for $14 million in losses
2011-10-15/a>
Guy Bruneau
DNS Sinkhole Parser Script Update
2011-10-10/a>
Tom Liston
What's In A Name?
2011-09-09/a>
Guy Bruneau
IPv6 and DNS Sinkhole
2011-09-04/a>
Lorna Hutcheson
Several Sites Defaced
2011-08-17/a>
Rob VandenBrink
When Good Patches go Bad - a DNS tale that didn't start out that way
2011-08-05/a>
Johannes Ullrich
Microsoft Patch Tuesday Advance Notification: 13 Bulletins coming http://www.microsoft.com/technet/security/Bulletin/MS11-aug.mspx
2011-08-05/a>
donald smith
New Mac Trojan: BASH/QHost.WB
2011-07-05/a>
Raul Siles
Two DoS remotely exploitable vulnerabilities affect BIND 9: http://www.isc.org/advisories/bind Updgrade to 9.8.0-P4.
2011-06-28/a>
Johannes Ullrich
DNSSEC Tips
2011-06-03/a>
Guy Bruneau
New Poll: How are you dealing with Malicious Domains?
2011-05-09/a>
Johannes Ullrich
Patch for BIND 9.8.0 DoS Vulnerability
2011-04-14/a>
Johannes Ullrich
dshield.org now DNSSEC signed via .org
2011-04-05/a>
Mark Hofman
DNS.be DDOS
2011-01-26/a>
Bojan Zdrnja
Google Chrome and (weird) DNS requests
2010-11-25/a>
Bojan Zdrnja
Secunia's DNS/domain hijacked?
2010-11-13/a>
Guy Bruneau
Register.com DNS Issues
2010-11-04/a>
Johannes Ullrich
DNSSEC Progress for .com and .net
2010-10-03/a>
Adrien de Beaupre
H went down.
2010-09-25/a>
Rick Wanner
Guest Diary: Andrew Hunt - Visualizing the Hosting Patterns of Modern Cybercriminals
2010-08-07/a>
Stephen Hall
DnsMadeEasy under a "quite large and unique" ddos.
2010-07-29/a>
Rob VandenBrink
NoScript 2.0 released
2010-06-19/a>
Guy Bruneau
DNS Sinkhole ISO Available for Download
2010-05-12/a>
Johannes Ullrich
.de TLD Outage
2010-05-04/a>
Rick Wanner
DNSSEC...not a bang but a whimper?
2010-02-26/a>
Rick Wanner
New version of dnsmap
2010-01-19/a>
Jim Clausing
49Gbps DDoS, IPv4 exhaustion, and DNSSEC, oh my!
2010-01-12/a>
Johannes Ullrich
Baidu defaced - Domain Registrar Tampering
2010-01-11/a>
Johannes Ullrich
the (large) domain registrar "eNom" appears to have problems with its DNS servers according to some user reports.
2010-01-10/a>
Guy Bruneau
Easy DNS BIND Sinkhole Setup
2009-12-15/a>
Johannes Ullrich
Important BIND name server updates - DNSSEC
2009-11-25/a>
Jim Clausing
Updates to my GREM Gold scripts and a new script
2009-11-24/a>
John Bambenek
BIND Security Advisory (DNSSEC only)
2009-11-02/a>
Daniel Wesemann
IDN ccTLDs
2009-10-29/a>
Kyle Haugsness
Cyber Security Awareness Month - Day 29 - dns port 53
2009-07-29/a>
Bojan Zdrnja
BIND 9 DoS attacks in the wild
2009-04-26/a>
Johannes Ullrich
Odd DNS Resolution for Google via OpenDNS
2009-03-21/a>
Stephen Hall
Updates to ISC BIND
2009-01-31/a>
Swa Frantzen
DNS DDoS - let's use a long term solution
2009-01-18/a>
Daniel Wesemann
DNS queries for "."
2009-01-08/a>
Kyle Haugsness
BIND OpenSSL follow-up
2009-01-07/a>
William Salusky
BIND 9.x security patch - resolves potentially new DNS poisoning vector
2008-12-04/a>
Bojan Zdrnja
Rogue DHCP servers
2008-11-25/a>
Andre Ludwig
OS X Dns Changers part three
2008-11-25/a>
Andre Ludwig
Tmobile G1 handsets having DNS problems?
2008-10-17/a>
Patrick Nolan
Day 17 - Containing a DNS Hijacking
2008-10-08/a>
Johannes Ullrich
Domaincontrol (GoDaddy) Nameservers DNS Poisoning
2008-08-14/a>
Johannes Ullrich
DNSSEC for DShield.org
2008-08-05/a>
Daniel Wesemann
Watching those DNS logs
2008-08-02/a>
Swa Frantzen
BIND: -P2 patches are released
2008-07-25/a>
Swa Frantzen
DNS bug - observations
2008-07-24/a>
Kyle Haugsness
DNS cache poisoning vulnerability details confirmed
2008-07-22/a>
Swa Frantzen
Dan Kaminsky's DNS bug: revealed? - Patch!
2008-07-09/a>
Marcus Sachs
DNS Vulnerability Found by a GSEC Student Three Years Ago!
2008-07-08/a>
Johannes Ullrich
Mulitple Vendors DNS Spoofing Vulnerability
2008-05-19/a>
Maarten Van Horenbeeck
Route filtering and its impact on the DNS fabric
2008-04-30/a>
Bojan Zdrnja
(Minor) evolution in Mac DNS changer malware
2008-03-23/a>
Johannes Ullrich
Finding hidden gems (easter eggs) in your logs (packet challenge!)
LOGS
2024-03-29/a>
Xavier Mertens
Quick Forensics Analysis of Apache logs
2023-12-10/a>
Guy Bruneau
Honeypots: From the Skeptical Beginner to the Tactical Enthusiast
2023-11-20/a>
Jesse La Grew
Overflowing Web Honeypot Logs
2023-08-31/a>
Guy Bruneau
Potential Weaponizing of Honeypot Logs [Guest Diary]
2023-07-23/a>
Guy Bruneau
Install & Configure Filebeat on Raspberry Pi ARM64 to Parse DShield Sensor Logs
2023-05-14/a>
Guy Bruneau
DShield Sensor Update
2023-01-21/a>
Guy Bruneau
DShield Sensor JSON Log to Elasticsearch
2023-01-08/a>
Guy Bruneau
DShield Sensor JSON Log Analysis
2022-12-21/a>
Guy Bruneau
DShield Sensor Setup in Azure
2021-10-11/a>
Johannes Ullrich
Things that go "Bump" in the Night: Non HTTP Requests Hitting Web Servers
2021-09-11/a>
Guy Bruneau
Shipping to Elasticsearch Microsoft DNS Logs
2021-03-12/a>
Guy Bruneau
Microsoft DHCP Logs Shipped to ELK
2021-02-13/a>
Guy Bruneau
Using Logstash to Parse IPtables Firewall Logs
2020-07-23/a>
Xavier Mertens
Simple Blocklisting with MISP & pfSense
2020-01-12/a>
Guy Bruneau
ELK Dashboard and Logstash parser for tcp-honeypot Logs
2019-12-07/a>
Guy Bruneau
Integrating Pi-hole Logs in ELK with Logstash
2019-09-17/a>
Rob VandenBrink
Investigating Gaps in your Windows Event Logs
2019-06-06/a>
Xavier Mertens
Keep an Eye on Your WMI Logs
2019-05-19/a>
Guy Bruneau
Is Metadata Only Approach, Good Enough for Network Traffic Analysis?
2018-07-17/a>
Xavier Mertens
Searching for Geographically Improbable Login Attempts
2018-06-21/a>
Xavier Mertens
Are Your Hunting Rules Still Working?
2017-07-09/a>
Russ McRee
Adversary hunting with SOF-ELK
2016-08-29/a>
Russ McRee
Recommended Reading: Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs
2016-06-01/a>
Xavier Mertens
Docker Containers Logging
2014-08-15/a>
Tom Webb
AppLocker Event Logs with OSSEC 2.8
2014-02-14/a>
Chris Mohan
Scanning activity for /siemens/bootstrapping/JnlpBrowser/Development/
2014-02-09/a>
Basil Alawi S.Taher
Mandiant Highlighter 2
2014-01-04/a>
Tom Webb
Monitoring Windows Networks Using Syslog (Part One)
2013-12-03/a>
Rob VandenBrink
Even in the Quietest Moments ...
2013-10-10/a>
Mark Hofman
CSAM Some more unusual scans
2012-12-02/a>
Guy Bruneau
Collecting Logs from Security Devices at Home
2012-07-13/a>
Russ McRee
2 for 1: SANSFIRE & MSRA presentations
2012-07-11/a>
Rick Wanner
Excellent Security Education Resources
2012-05-02/a>
Bojan Zdrnja
Monitoring VMWare logs
2012-04-08/a>
Chris Mohan
Blog Log: More noise or a rich source of intelligence?
2011-11-19/a>
Kevin Liston
Monitoring your Log Monitoring Process
2011-06-21/a>
Chris Mohan
Australian government security audit report shows tough love to agencies
2011-06-20/a>
Chris Mohan
Log files - are you reviewing yours?
2011-05-17/a>
Johannes Ullrich
A Couple Days of Logs: Looking for the Russian Business Network
2010-12-24/a>
Daniel Wesemann
A question of class
2010-04-06/a>
Daniel Wesemann
Application Logs
2010-03-10/a>
Rob VandenBrink
What's My Firewall Telling Me? (Part 4)
2010-02-23/a>
Mark Hofman
What is your firewall telling you and what is TCP249?
2010-01-29/a>
Johannes Ullrich
Analyzing isc.sans.org weblogs, part 2, RFI attacks
2010-01-20/a>
Johannes Ullrich
Weathering the Storm Part 1: An analysis of our SANS ISC weblogs http://appsecstreetfighter.com
2009-10-26/a>
Johannes Ullrich
Web honeypot Update
2009-01-09/a>
Johannes Ullrich
SANS Log Management Survey
2008-08-19/a>
Johannes Ullrich
A morning stroll through my web logs
2008-08-05/a>
Daniel Wesemann
Watching those DNS logs
2006-09-18/a>
Jim Clausing
Log analysis follow up
2006-09-09/a>
Jim Clausing
Log Analysis tips?
2006-09-09/a>
Jim Clausing
A few preliminary log analysis thoughts
Homepage
Diaries
Podcasts
Jobs
Data
TCP/UDP Port Activity
Port Trends
SSH/Telnet Scanning Activity
Weblogs
Threat Feeds Activity
Threat Feeds Map
Useful InfoSec Links
Presentations & Papers
Research Papers
API
Tools
DShield Sensor
DNS Looking Glass
Honeypot (RPi/AWS)
InfoSec Glossary
Contact Us
Contact Us
About Us
Handlers
About Us
Slack Channel
Mastodon
Bluesky
X
This site is powered by
your submissions
, so tell us
what you see happening