Show HN: Detecting malware through DNS queries – a Kali Pi / Snort project

There are a couple of shortcomings in the current approach. I&#x27;d welcome suggestions for how to improve this. The problems I see are:<p>1. The alert tells me the IP address of the offending computer or device, but not the domain name that was requested. I have Snort configured to store each packet that triggered an alert, and can use tcpdump to analyse the packets - but that&#x27;s a bit of a pain. Do any readers know of a way to include payload fields from a DNS packet in the alert message?<p>2. I&#x27;ve identified 4 specific &quot;warning page&quot; DNS responses, but OpenDNS owns far more addresses that they may use for other conditions now or in the future. At a minimum, OpenDNS owns the ranges 67.215.64.0&#x2F;19 and 204.194.232.0&#x2F;21 -- all told, about 10,000 addresses. Snort supports matching IP ranges in CIDR notation for the source and destination, but my approach currently does a binary match in the payload. Do any readers have an example of a Snort rule that parses DNS packets into their component fields?

Port-mirroring would work for any traffic that traversed the smart switch ... I actually tried that at one point, but it&#x27;s somewhat limited:<p>&gt; If the smart switch is on the LAN side of the router, then I only see traffic from wired devices on the LAN and miss anything from wireless clients.<p>&gt; If the smart switch is on the WAN side of the router, then I see any traffic destined for the Internet, but now the Pi has to account for NAT (everything coming back from DNS has a destination of my router&#x27;s WAN interface).

Interesting approach comparing 2 DNS lookups. What about port mirroring the upstream router connection from a smart switch? Would it overload the Pi? Then it would be a simple plug and play device you could connect to any lan (with mirroring) for a check-up.