-
Notifications
You must be signed in to change notification settings - Fork 630
Sinkhole Use Case
Many organizations we work with are using Response Policy Zones (RPZ) to block or sinkhole malicious or suspicious DNS traffic. Often times they want to send the possibly infected host to a sinkhole server in order to identify the host, capture the network traffic and fire off an event in their SIEM. Modern Honey Network and honeypot sensors can aid in this scenario.
Honeypots such as Dionaea, co-deployed with p0f and snort can be a very effective sensor for catching these sorts of network activity and MHN will ensure that the data collected from these sensors will be stored and integrated with a SIEM such as ArcSight, Splunk, or even ELK. Typically, you will only need one of these sensors deployed to a static IP address. This IP will be used in the RPZ responses to reroute the requesting host to the honeypot sensor instead of the real malicious IP in the wild.
Implementation:
- Deploy MHN (likely want to configure with an integration with Splunk or CEH output)
- Setup a server for use as the sinkhole server with a static IP address (Ubuntu tends to work best).
- Deploy the following sensors to the sinkhole server: Dionaea, Kippo, p0f, and snort.
- Make the IP of your sinkhole server and make it the destination of the RPZ entries.
Example entry in the RPZ zone:
# 192.168.2.5 - IP of the sinkhole server
malicious-domain.com A 192.168.2.5
*.malicious-domain.com A 192.168.2.5