Two days ago, I wrote about how to profile traffic to recognize DNS over HTTPS. This is kind of a problem for DNS over HTTPS. If you can see it, you may be able to block it. On Twitter, a few chimed in to provide feedback about recognizing DNS over HTTPS. I checked a couple […]

Whenever I talk about DNS over HTTPS (DoH), the question comes up if it is possible to fingerprint DoH traffic without decrypting it. The idea is that something about DoH packets is different enough to identify them. This evening after recording my podcast, I experimented a bit with this idea to see what could be […]

This is continuing a post from April about network traffic from Windows 10. When dealing with network traffic, it is always good to know what is normal. As part of this series, I will investigate the first few minutes of network traffic from current operating systems. With macOS 10.15 Catalina just being released, I figured […]

Recently in class, we were discussing detection strategies for DNS cache poisoning attacks. One of the ideas was to look for duplicate DNS replies to the same request. This would be pretty difficult with signature detection tools and flow data wouldn’t have enough details. Zeek would be perfect for this type of detection. Let’s write […]

One of the Zeek concepts we discuss in SEC503: Intrusion Detection In-Depth is how scripts are reacting to events, not necessarily packets. Yes, Zeek processes packets and scripts can be written to react to individual packet characteristics but this is through exposed events. A single packet may trigger one event but, more than likely, it […]