def run(self):
while 1:
res = self.get_new_lines()
if res:
for line in self.new_lines:
line = line.strip()
try:
fields = json.loads(line)
if 'query' in fields:
query = fields["query"]
else:
query = None
if (query is not None) and (query != '-') and utils.validate_domain(query):
sld = utils.get_sld(query)
tld = utils.get_tld(query)
cip = fields["id.orig_h"]
if tld not in self.tld_whitelist:
with lock:
if cip in homenet.hosts:
try:
rcode = fields["rcode_name"]
except KeyError:
rcode = None
if rcode is not None:
if query not in homenet.hosts[cip].dns:
request = DNSRequest()
request.ts = float(fields["ts"])
request.cip = cip
request.query = query
request.tld = utils.get_tld(query)
request.sld = sld
request.sip = fields["id.orig_h"]
try:
request.qtype = fields["qtype_name"]
except KeyError:
request.qtype = None
request.qresult = rcode
homenet.hosts[cip].dns[query] = request
else:
homenet.hosts[cip].dns[query].lseen = float(fields["ts"])
homenet.hosts[cip].dns[query].counter += 1
if rcode == 'NXDOMAIN':
try:
if utils.get_sld(query) not in top_domains:
if query not in homenet.hosts[cip].dga_domains:
homenet.hosts[cip].dga_domains.append(query)
except KeyError:
pass
if (request.qtype == "MX") or query.startswith('mail.'):
if query not in homenet.hosts[cip].spammed_domains:
homenet.hosts[cip].spammed_domains.append(query)
except Exception as e:
log.debug('FG-DEBUG: read_bro_dns_log - ' + str(e.__doc__) + " - " + str(e.message))
time.sleep(5)
def run(self):
global homenet
global lock
global top_domains
while 1:
res = self.get_new_lines()
if res:
for line in self.new_lines:
if line[0] != '#':
line = line.strip()
fields = line.split('\t')
try:
if fields[9] != '-' and utils.validate_domain(fields[9]):
query = fields[9]
sld = utils.get_sld(query)
tld = utils.get_tld(query)
cip = fields[2]
if tld not in self.tld_whitelist:
with lock:
if cip in homenet.hosts:
if fields[15] != 'NXDOMAIN':
if query not in homenet.hosts[cip].dns:
request = DNSRequest()
request.ts = float(fields[0])
request.cip = cip
request.query = query
request.tld = utils.get_tld(query)
request.sld = sld
request.sip = fields[4]
request.qtype = fields[13]
request.qresult = fields[15]
homenet.hosts[cip].dns[query] = request
else:
homenet.hosts[cip].dns[query].lseen = float(fields[0])
homenet.hosts[cip].dns[query].counter += 1
elif fields[15] == 'NXDOMAIN':
try:
if query not in homenet.hosts[cip].dga_domains:
homenet.hosts[cip].dga_domains.append(query)
except KeyError:
pass
if (fields[13] == 'MX') or query.startswith('mail.'):
if query not in homenet.hosts[cip].spammed_domains:
homenet.hosts[cip].spammed_domains.append(query)
except Exception as e:
log.debug('FG-WARN: read_bro_dns_log - ' + e.__doc__ + " - " + e.message)
time.sleep(5)
def is_top_domain(ip):
f = open('/usr/local/bro/logs/current/dns.log', 'r')
lines = f.readlines()
f.close()
for line in lines:
if ip in line:
fields = json.loads(line)
query = fields["query"]
sld = utils.get_sld(query)
if sld in top_domains:
return True
return False
def is_top_domain(ip):
global top_domains
f = open('/usr/local/bro/logs/current/dns.log', 'r')
lines = f.readlines()
f.close()
for line in lines:
if ip in line:
fields = line.split('\t')
query = fields[9]
sld = utils.get_sld(query)
if sld in top_domains:
return True
return False
def is_top_domain(ip):
f = open('/opt/zeek/logs/current/dns.log', 'r')
lines = f.readlines()
f.close()
for line in lines:
if ip in line:
try:
fields = json.loads(line)
query = fields["query"]
sld = utils.get_sld(query)
if sld in top_domains:
return True
except ValueError:
pass
return False