def __init__(self):
DNSDecoder.__init__(self,
name = 'innuendo-dns',
description = 'proof-of-concept detector for INNUENDO DNS channel',
filter = '(port 53)',
author = 'primalsec',
)
self.whitelist = [] # probably be necessary to whitelist A/V domains
def __init__(self):
DNSDecoder.__init__(self,
name='dns-asn',
description='identify AS of DNS A/AAAA record responses',
filter='(port 53)',
author='bg',
cleanupinterval=10,
maxblobs=2,
)
def __init__(self):
DNSDecoder.__init__(
self,
name='innuendo-dns',
description='proof-of-concept detector for INNUENDO DNS channel',
filter='(port 53)',
author='primalsec',
)
self.whitelist = [] # probably be necessary to whitelist A/V domains
def __init__(self):
DNSDecoder.__init__(
self,
name="dns-asn",
description="identify AS of DNS A/AAAA record responses",
filter="(port 53)",
author="bg",
cleanupinterval=10,
maxblobs=2,
)
def __init__(self):
DNSDecoder.__init__(self,
name='dns-cc',
description='identify country code of DNS A/AAAA record responses',
filter='(port 53)',
author='bg',
cleanupinterval=10,
maxblobs=2,
optiondict={'foreign': {'action': 'store_true', 'help': 'report responses in foreign countries'},
'code': {'type': 'string', 'help': 'filter on a specific country code (ex. US)'}}
)
def __init__(self):
DNSDecoder.__init__(self,
name = 'dns',
description = 'extract and summarize DNS queries/responses (defaults: A,AAAA,CNAME,PTR records)',
filter = '(udp and port 53)',
author = 'bg/twp',
optiondict={'show_noanswer':{'action':'store_true','help':'report unanswered queries alongside other queries'},
'show_norequest':{'action':'store_true','help':'report unsolicited responses alongside other responses'},
'only_noanswer':{'action':'store_true','help':'report only unanswered queries'},
'only_norequest':{'action':'store_true','help':'report only unsolicited responses'},
'showall':{'action':'store_true','help':'show all answered queries/responses'}}
)
def __init__(self):
DNSDecoder.__init__(
self,
name='reservedips',
description=
'identify DNS resolutions that fall into reserved ip space',
filter='(port 53)',
author='bg',
cleanupinterval=10,
maxblobs=2,
)
# source: https://en.wikipedia.org/wiki/Reserved_IP_addresses
nets = [
'0.0.0.0/8', # Used for broadcast messages to the current ("this") network as specified by RFC 1700, page 4.
'10.0.0.0/8', # Used for local communications within a private network as specified by RFC 1918.
'100.64.0.0/10', #Used for communications between a service provider and its subscribers when using a Carrier-grade NAT, as specified by RFC 6598.
'127.0.0.0/8', # Used for loopback addresses to the local host, as specified by RFC 990.
'169.254.0.0/16', # Used for autoconfiguration between two hosts on a single link when no IP address is otherwise specified
'172.16.0.0/12', # Used for local communications within a private network as specified by RFC 1918
'192.0.0.0/29', # Used for the DS-Lite transition mechanism as specified by RFC 6333
'192.0.2.0/24', # Assigned as "TEST-NET" in RFC 5737 for use solely in documentation and example source code and should not be used publicly
'192.88.99.0/24', # Used by 6to4 anycast relays as specified by RFC 3068
'192.168.0.0/16', # Used for local communications within a private network as specified by RFC 1918
'198.18.0.0/15', # Used for testing of inter-network communications between two separate subnets as specified in RFC 2544
'198.51.100.0/24', # Assigned as "TEST-NET-2" in RFC 5737 for use solely in documentation and example source code and should not be used publicly
'203.0.113.0/24', # Assigned as "TEST-NET-3" in RFC 5737 for use solely in documentation and example source code and should not be used publicly
'224.0.0.0/4', # Reserved for multicast assignments as specified in RFC 5771
'240.0.0.0/4', # Reserved for future use, as specified by RFC 6890
'255.255.255.255/32', # Reserved for the "limited broadcast" destination address, as specified by RFC 6890
'::/128', # Unspecified address
'::1/128', # loopback address to the local host.
'::ffff:0:0/96', # IPv4 mapped addresses
'100::/64', # Discard Prefix RFC 6666
'64:ff9b::/96', # IPv4/IPv6 translation (RFC 6052)
'2001::/32', # Teredo tunneling
'2001:10::/28', # Overlay Routable Cryptographic Hash Identifiers (ORCHID)
'2001:db8::/32', # Addresses used in documentation
'2002::/16', # 6to4
'fc00::/7', # Unique local address
'fe80::/10', # Link-local address
'ff00::/8', # Multicast
]
self.reservednets = []
for net in nets:
self.reservednets.append(IPy.IP(net))
self.domains = [] # list for known domains
def __init__(self):
DNSDecoder.__init__(self,
name = 'reservedips',
description = 'identify DNS resolutions that fall into reserved ip space',
filter = '(port 53)',
author = 'bg',
cleanupinterval=10,
maxblobs=2,
)
# source: https://en.wikipedia.org/wiki/Reserved_IP_addresses
nets = [ '0.0.0.0/8', # Used for broadcast messages to the current ("this") network as specified by RFC 1700, page 4.
'10.0.0.0/8', # Used for local communications within a private network as specified by RFC 1918.
'100.64.0.0/10', #Used for communications between a service provider and its subscribers when using a Carrier-grade NAT, as specified by RFC 6598.
'127.0.0.0/8', # Used for loopback addresses to the local host, as specified by RFC 990.
'169.254.0.0/16', # Used for autoconfiguration between two hosts on a single link when no IP address is otherwise specified
'172.16.0.0/12', # Used for local communications within a private network as specified by RFC 1918
'192.0.0.0/29', # Used for the DS-Lite transition mechanism as specified by RFC 6333
'192.0.2.0/24', # Assigned as "TEST-NET" in RFC 5737 for use solely in documentation and example source code and should not be used publicly
'192.88.99.0/24', # Used by 6to4 anycast relays as specified by RFC 3068
'192.168.0.0/16', # Used for local communications within a private network as specified by RFC 1918
'198.18.0.0/15', # Used for testing of inter-network communications between two separate subnets as specified in RFC 2544
'198.51.100.0/24', # Assigned as "TEST-NET-2" in RFC 5737 for use solely in documentation and example source code and should not be used publicly
'203.0.113.0/24', # Assigned as "TEST-NET-3" in RFC 5737 for use solely in documentation and example source code and should not be used publicly
'224.0.0.0/4', # Reserved for multicast assignments as specified in RFC 5771
'240.0.0.0/4', # Reserved for future use, as specified by RFC 6890
'255.255.255.255/32', # Reserved for the "limited broadcast" destination address, as specified by RFC 6890
'::/128', # Unspecified address
'::1/128', # loopback address to the local host.
'::ffff:0:0/96', # IPv4 mapped addresses
'100::/64', # Discard Prefix RFC 6666
'64:ff9b::/96', # IPv4/IPv6 translation (RFC 6052)
'2001::/32', # Teredo tunneling
'2001:10::/28', # Overlay Routable Cryptographic Hash Identifiers (ORCHID)
'2001:db8::/32', # Addresses used in documentation
'2002::/16', # 6to4
'fc00::/7', # Unique local address
'fe80::/10', # Link-local address
'ff00::/8', # Multicast
]
self.reservednets= []
for net in nets:
self.reservednets.append(IPy.IP(net))
self.domains = [] # list for known domains
def __init__(self):
DNSDecoder.__init__(
self,
name="dns",
description="extract and summarize DNS queries/responses (defaults: A,AAAA,CNAME,PTR records)",
filter="(udp and port 53)",
author="bg/twp",
optiondict={
"show_noanswer": {"action": "store_true", "help": "report unanswered queries alongside other queries"},
"show_norequest": {
"action": "store_true",
"help": "report unsolicited responses alongside other responses",
},
"only_noanswer": {"action": "store_true", "help": "report only unanswered queries"},
"only_norequest": {"action": "store_true", "help": "report only unsolicited responses"},
"showall": {"action": "store_true", "help": "show all answered queries/responses"},
},
)
def __init__(self):
DNSDecoder.__init__(
self,
name='dns-cc',
description='identify country code of DNS A/AAAA record responses',
filter='(port 53)',
author='bg',
cleanupinterval=10,
maxblobs=2,
optiondict={
'foreign': {
'action': 'store_true',
'help': 'report responses in foreign countries'
},
'code': {
'type': 'string',
'help': 'filter on a specific country code (ex. US)'
}
})
