I have configured DNS sinkhole feature. The sinkholing is working fine with providing and blocking fake ip. The only problem is that although I can get the original client ip connecting to the fake ip, I cannot find the payload (url/resource being requested). Is there any way I can capture packets like spyware/vulnerability etc? I checked into these objects however did not find an option of matching on destination ip address.
I haven't tried this myself yet, but you might be able to do it based on the following article, if you have a seperate rule for the sinkhole traffic: How to Capture Traffic (PCAP) Hitting a Specific Rule
Edit: On 2nd thought, in the Anti-Spyware Profile -> DNS Signatures -> where you configure the action as 'sinkhole' there is an option to configure an extended pcap - does this not work?
Since most people set up a fictious IP address as their sinkhole IP address, there is no host on the other end. Any tcp traffic would not make it past the initial syn requests. In order to capture some traffic, the destination host would have to be listening on the applicable port and get past the three way handshake. The data folowing that would be what you are looking for. A sinkhole is just a destination for traffic to go to, it's main benefit is identify infected hosts based on seeing the traffic attempts to the destination IP address of the sinkhole.
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!