A fast parser for DNS pcap data.
-- OVERVIEW --
dns_parse takes as input a pcap of DNS data and produces a complete, trivially
parsable, human readable ASCII version of the same data. It's generally useful
for network monitoring (send the data to Splunk or similar). The most common
carrying protocols are supported, as well as packet deduplication.
-- SUPPORTED PROTOCOLS --
Ethernet
MPLS
IPv4 (including fragment reassembly)
IPv6 (including fragment reassembly)
UDP
TCP (with flow state saving and loading between pcaps)
DNS (on any port)
-- AUTHOR INFO --
Paul Ferrell
pferrell@lanl.gov
-- CONTENTS --
Code to build bin/dns_parse.
init/dnscapture - An init script for running tcpdump on an interface as a
service to generate regular pcap files.
bin/dns_parse_cron - A python cron job script for periodically running dns_parse
on regularly output pcap files (generally from using the -C or -G options in
tcpdump).
pkgs/dns_parse.spec - An RPM spec file, for those dinosaurs that still use these
things (like me).
etc/* - example config files for init/dnscapture and bin/dns_parse_cron
-- DEPENDENCIES --
libpcap
-- OS Dependencies --
This has been tested primarily on x86_64 linux, but there shouldn't be any typing issues on 32 bit machines.
-- BUILDING AND INSTALLING --
make
make install
-- Running --
"./bin/dns_parse -h" should tell you everything you need to know.
A reasonable set of options is:
./bin/dns_parse -m "" -t -r
This gets you newline separated resource records an empty main record separator,
pretty printed dates, and the shorthand for the record types (ie. A or CNAME).
Printing of additional and name server records is disabled (by default).
from https://github.com/pflarr/dns_parse
-----
pDNS2
pDNS2 projectpDNS2 is yet another implementation of a passive DNS tool working with Redis as the database. pDNS2 means ‘passive DNS version2’ and favors speed in query over other database features. pDNS2 is based on Florian Weimer’s original dnslogger with improved features for speed and specialization for analyst.REQUIREMENTS
Redis http://redis.io/Redis API https://github.com/andymccurdy/redis-pywireshark full install http://www.wireshark.org/GETTING STARTED
This version has two simple python scripts to support the collection of DNS traffic as pdns2_collect.py and the other to query as pdns2_query.py
- Ensure wireshare’s share is working and can collect on the desired interface or read pcap files.
- Run redis-server and listening on local port 6379
- run pdns2_collect.py with -i for an interface or -p for a pcap file
- Anytime the collection is working, try pdns2_query.py with the options available.
below are are simply using a wildcard with -d for any domainSample query python pdns2_query.py -d *Domain ips first date rr ttl count w2.eff.org 69.50.232.52 20120524 20120524 CNAME 300 3 web5.eff.org 69.50.232.52 20120524 20120524 A 300 3 slashdot.org 216.34.181.45 20120524 20120524 A 2278 1 csi.gstatic.com 74.125.143.120 20120524 20120524 A 300 1 ssl.gstatic.com 74.125.229.175 20120524 20120524 A 244 1 xkcd.com 107.6.106.82 20120524 20120524 A 600 1 imgs.xkcd.com 69.9.191.19 20120524 20120524 CNAME 418 1 www.xkcd.com 107.6.106.82 20120524 20120524 CNAME 600 1 craphound.com 204.11.50.137 20120524 20120524 A 861 1 www.youtube.com 173.194.37.4 20120524 20120524 CNAME 81588 1pDNS2 commands
DOMAIN EXAMPLESarguments: -h, --help show this help message and exit -d DOMAIN, --domain DOMAIN -i IP, --ip IP -da DATE, --date DATE -ips IP_SNIFF, --ip_sniff IP_SNIFF -ttl TTL, --ttl TTL -rr RRECORD, --rrecord RRECORD -l LOCAL, --local LOCAL -ac ACOUNT, --acount ACOUNT -c COUNT, --count COUNT -ipf IP_FLUX, --ip_flux IP_FLUX -ipr IP_REVERSE, --ip_reverse IP_REVERSE -d *example.com seeks all domains that end with example.com -i 1.1.1.1 ip address search -ttl 0 use a number like 0 or 100 to get all the TTL of a specific value search is based on domain not IP -ac *example.com return by query, counts of counts (usage), or 'hits' for the domains in order, *.google.com or *.com are examples -l search entire database local resolved IP addresses that resolve to 127.0.0.1 etc. -ipf *.com return a COUNT of domains in the IP space for each instance of a domain, use with ip_reverse -ipr * seattletimes.com use with ip_flux, enumerate domains in the IP space -ips 192.168.1.1' search the domain space for a specific IP address, different then searching by IP -da 20130101 return all records by date ADMINISTRATIVE delete_key('Domain:*delete*') Dangerous command, deletes a key, must use the entire key such as Domain: or IP: raw_record('Domain:xalrbngb-0.t.nessus.org') view the raw record properties (no wildcards) use full key name pDNS2 tracks current state and last known, it is a snapshot of organization perception, not a log.fromhttps://github.com/bez0r/pDNS2
No comments:
Post a Comment