Show HN: Detecting malware through DNS queries – a Kali Pi / Snort project

There are a couple of shortcomings in the current approach. I'd welcome suggestions for how to improve this. The problems I see are:

1. The alert tells me the IP address of the offending computer or device, but not the domain name that was requested. I have Snort configured to store each packet that triggered an alert, and can use tcpdump to analyse the packets - but that's a bit of a pain. Do any readers know of a way to include payload fields from a DNS packet in the alert message?

2. I've identified 4 specific "warning page" DNS responses, but OpenDNS owns far more addresses that they may use for other conditions now or in the future. At a minimum, OpenDNS owns the ranges 67.215.64.0/19 and 204.194.232.0/21 -- all told, about 10,000 addresses. Snort supports matching IP ranges in CIDR notation for the source and destination, but my approach currently does a binary match in the payload. Do any readers have an example of a Snort rule that parses DNS packets into their component fields?

Port-mirroring would work for any traffic that traversed the smart switch ... I actually tried that at one point, but it's somewhat limited:

> If the smart switch is on the LAN side of the router, then I only see traffic from wired devices on the LAN and miss anything from wireless clients.

> If the smart switch is on the WAN side of the router, then I see any traffic destined for the Internet, but now the Pi has to account for NAT (everything coming back from DNS has a destination of my router's WAN interface).

Interesting approach comparing 2 DNS lookups. What about port mirroring the upstream router connection from a smart switch? Would it overload the Pi? Then it would be a simple plug and play device you could connect to any lan (with mirroring) for a check-up.