def __init__(self): DNSDecoder.__init__(self, name = 'innuendo-dns', description = 'proof-of-concept detector for INNUENDO DNS channel', filter = '(port 53)', author = 'primalsec', ) self.whitelist = [] # probably be necessary to whitelist A/V domains
def __init__(self): DNSDecoder.__init__(self, name='dns-asn', description='identify AS of DNS A/AAAA record responses', filter='(port 53)', author='bg', cleanupinterval=10, maxblobs=2, )
def __init__(self): DNSDecoder.__init__( self, name='innuendo-dns', description='proof-of-concept detector for INNUENDO DNS channel', filter='(port 53)', author='primalsec', ) self.whitelist = [] # probably be necessary to whitelist A/V domains
def __init__(self): DNSDecoder.__init__( self, name="dns-asn", description="identify AS of DNS A/AAAA record responses", filter="(port 53)", author="bg", cleanupinterval=10, maxblobs=2, )
def __init__(self): DNSDecoder.__init__(self, name='dns-cc', description='identify country code of DNS A/AAAA record responses', filter='(port 53)', author='bg', cleanupinterval=10, maxblobs=2, optiondict={'foreign': {'action': 'store_true', 'help': 'report responses in foreign countries'}, 'code': {'type': 'string', 'help': 'filter on a specific country code (ex. US)'}} )
def __init__(self): DNSDecoder.__init__(self, name = 'dns', description = 'extract and summarize DNS queries/responses (defaults: A,AAAA,CNAME,PTR records)', filter = '(udp and port 53)', author = 'bg/twp', optiondict={'show_noanswer':{'action':'store_true','help':'report unanswered queries alongside other queries'}, 'show_norequest':{'action':'store_true','help':'report unsolicited responses alongside other responses'}, 'only_noanswer':{'action':'store_true','help':'report only unanswered queries'}, 'only_norequest':{'action':'store_true','help':'report only unsolicited responses'}, 'showall':{'action':'store_true','help':'show all answered queries/responses'}} )
def __init__(self): DNSDecoder.__init__( self, name='reservedips', description= 'identify DNS resolutions that fall into reserved ip space', filter='(port 53)', author='bg', cleanupinterval=10, maxblobs=2, ) # source: https://en.wikipedia.org/wiki/Reserved_IP_addresses nets = [ '0.0.0.0/8', # Used for broadcast messages to the current ("this") network as specified by RFC 1700, page 4. '10.0.0.0/8', # Used for local communications within a private network as specified by RFC 1918. '100.64.0.0/10', #Used for communications between a service provider and its subscribers when using a Carrier-grade NAT, as specified by RFC 6598. '127.0.0.0/8', # Used for loopback addresses to the local host, as specified by RFC 990. '169.254.0.0/16', # Used for autoconfiguration between two hosts on a single link when no IP address is otherwise specified '172.16.0.0/12', # Used for local communications within a private network as specified by RFC 1918 '192.0.0.0/29', # Used for the DS-Lite transition mechanism as specified by RFC 6333 '192.0.2.0/24', # Assigned as "TEST-NET" in RFC 5737 for use solely in documentation and example source code and should not be used publicly '192.88.99.0/24', # Used by 6to4 anycast relays as specified by RFC 3068 '192.168.0.0/16', # Used for local communications within a private network as specified by RFC 1918 '198.18.0.0/15', # Used for testing of inter-network communications between two separate subnets as specified in RFC 2544 '198.51.100.0/24', # Assigned as "TEST-NET-2" in RFC 5737 for use solely in documentation and example source code and should not be used publicly '203.0.113.0/24', # Assigned as "TEST-NET-3" in RFC 5737 for use solely in documentation and example source code and should not be used publicly '224.0.0.0/4', # Reserved for multicast assignments as specified in RFC 5771 '240.0.0.0/4', # Reserved for future use, as specified by RFC 6890 '255.255.255.255/32', # Reserved for the "limited broadcast" destination address, as specified by RFC 6890 '::/128', # Unspecified address '::1/128', # loopback address to the local host. '::ffff:0:0/96', # IPv4 mapped addresses '100::/64', # Discard Prefix RFC 6666 '64:ff9b::/96', # IPv4/IPv6 translation (RFC 6052) '2001::/32', # Teredo tunneling '2001:10::/28', # Overlay Routable Cryptographic Hash Identifiers (ORCHID) '2001:db8::/32', # Addresses used in documentation '2002::/16', # 6to4 'fc00::/7', # Unique local address 'fe80::/10', # Link-local address 'ff00::/8', # Multicast ] self.reservednets = [] for net in nets: self.reservednets.append(IPy.IP(net)) self.domains = [] # list for known domains
def __init__(self): DNSDecoder.__init__(self, name = 'reservedips', description = 'identify DNS resolutions that fall into reserved ip space', filter = '(port 53)', author = 'bg', cleanupinterval=10, maxblobs=2, ) # source: https://en.wikipedia.org/wiki/Reserved_IP_addresses nets = [ '0.0.0.0/8', # Used for broadcast messages to the current ("this") network as specified by RFC 1700, page 4. '10.0.0.0/8', # Used for local communications within a private network as specified by RFC 1918. '100.64.0.0/10', #Used for communications between a service provider and its subscribers when using a Carrier-grade NAT, as specified by RFC 6598. '127.0.0.0/8', # Used for loopback addresses to the local host, as specified by RFC 990. '169.254.0.0/16', # Used for autoconfiguration between two hosts on a single link when no IP address is otherwise specified '172.16.0.0/12', # Used for local communications within a private network as specified by RFC 1918 '192.0.0.0/29', # Used for the DS-Lite transition mechanism as specified by RFC 6333 '192.0.2.0/24', # Assigned as "TEST-NET" in RFC 5737 for use solely in documentation and example source code and should not be used publicly '192.88.99.0/24', # Used by 6to4 anycast relays as specified by RFC 3068 '192.168.0.0/16', # Used for local communications within a private network as specified by RFC 1918 '198.18.0.0/15', # Used for testing of inter-network communications between two separate subnets as specified in RFC 2544 '198.51.100.0/24', # Assigned as "TEST-NET-2" in RFC 5737 for use solely in documentation and example source code and should not be used publicly '203.0.113.0/24', # Assigned as "TEST-NET-3" in RFC 5737 for use solely in documentation and example source code and should not be used publicly '224.0.0.0/4', # Reserved for multicast assignments as specified in RFC 5771 '240.0.0.0/4', # Reserved for future use, as specified by RFC 6890 '255.255.255.255/32', # Reserved for the "limited broadcast" destination address, as specified by RFC 6890 '::/128', # Unspecified address '::1/128', # loopback address to the local host. '::ffff:0:0/96', # IPv4 mapped addresses '100::/64', # Discard Prefix RFC 6666 '64:ff9b::/96', # IPv4/IPv6 translation (RFC 6052) '2001::/32', # Teredo tunneling '2001:10::/28', # Overlay Routable Cryptographic Hash Identifiers (ORCHID) '2001:db8::/32', # Addresses used in documentation '2002::/16', # 6to4 'fc00::/7', # Unique local address 'fe80::/10', # Link-local address 'ff00::/8', # Multicast ] self.reservednets= [] for net in nets: self.reservednets.append(IPy.IP(net)) self.domains = [] # list for known domains
def __init__(self): DNSDecoder.__init__( self, name="dns", description="extract and summarize DNS queries/responses (defaults: A,AAAA,CNAME,PTR records)", filter="(udp and port 53)", author="bg/twp", optiondict={ "show_noanswer": {"action": "store_true", "help": "report unanswered queries alongside other queries"}, "show_norequest": { "action": "store_true", "help": "report unsolicited responses alongside other responses", }, "only_noanswer": {"action": "store_true", "help": "report only unanswered queries"}, "only_norequest": {"action": "store_true", "help": "report only unsolicited responses"}, "showall": {"action": "store_true", "help": "show all answered queries/responses"}, }, )
def __init__(self): DNSDecoder.__init__( self, name='dns-cc', description='identify country code of DNS A/AAAA record responses', filter='(port 53)', author='bg', cleanupinterval=10, maxblobs=2, optiondict={ 'foreign': { 'action': 'store_true', 'help': 'report responses in foreign countries' }, 'code': { 'type': 'string', 'help': 'filter on a specific country code (ex. US)' } })