def process_msg(m):
if m['type'] != "EXPIRATION":
return
if m['rrtype'] != 1:
return
if m['rrttl'] > MAX_SUSPICIOUS_TTL:
return
if len(m['rdata']) < MIN_SUSPICIOUS_RRSET_SIZE and m['rrttl'] > VERY_SHORT_TTL:
return
qname = wdns.domain_to_str(m['rrname'])
qcount = m['count']
ttl = m['rrttl']
rrset_str = Set([])
for rr in m['rdata']:
rr_str = str(wdns.rdata(rr, m['rrclass'], m['rrtype']))
rrset_str.add(rr_str)
diversity = rdata_diversity(rrset_str)
if diversity < 0:
return
if len(m['rdata']) >= MIN_SUSPICIOUS_RRSET_SIZE and diversity < MIN_SUSPICIOUS_DIVERSITY:
return
first_seen = datetime.fromtimestamp(m['time_first'])
last_seen = first_seen
if 'time_last' in m.keys():
last_seen = datetime.fromtimestamp(m['time_last'])
msg_creation = datetime.fromtimestamp(m.time_sec)
delta = msg_creation - first_seen
seconds = delta.days * 86400 + delta.seconds
if seconds == 0:
return # we cannot compute the avg num of queries in 1h for this message
# normalized_1h_count = qcount*1.0/seconds * 3600
# print qname, ttl, "("+str(normalized_1h_count)+")"
# print diversity
# for rr_str in rrset_str:
# print rr_str
# print "-----------------------"
add_to_candidate_domains(qname, qcount, ttl, rrset_str, first_seen, last_seen, msg_creation)
parser = argparse.ArgumentParser()
parser.add_argument('--output', '-o', default='-', help='Output to file')
parser.add_argument('input', help='Input file')
args = parser.parse_args()
if args.output == '-':
out = sys.stdout
else:
out = open(args.output, 'w')
for m in nmsg_input(nmsg.input.open_file(args.input)):
print >> out, 'count: %d' % m['count']
print >> out, 'time_first: %s' % datetime.datetime.fromtimestamp(
m['time_first']).isoformat()
print >> out, 'time_last: %s' % datetime.datetime.fromtimestamp(
m['time_last']).isoformat()
if 'response_ip' in m.fields:
print >> out, 'response_ip: %s' % m['response_ip']
print >> out, 'bailiwick: %s' % wdns.domain_to_str(m['bailiwick'])
print >> out, 'rrname: %s' % wdns.domain_to_str(m['rrname'])
print >> out, 'rrclass: %s (%d)' % (wdns.rrclass_to_str(
m['rrclass']), m['rrclass'])
print >> out, 'rrtype: %s (%d)' % (wdns.rrtype_to_str(
m['rrtype']), m['rrtype'])
print >> out, 'rrttl: %d' % m['rrttl']
for rdata in m['rdata']:
print 'rrdata: %s' % repr(wdns.rdata(rdata, m['rrclass'], m['rrtype']))
print >> out
m = input.read()
if not m:
break
yield m
parser = argparse.ArgumentParser()
parser.add_argument('--output','-o', default='-',
help='Output to file')
parser.add_argument('input', help='Input file')
args = parser.parse_args()
if args.output == '-':
out = sys.stdout
else:
out = open(args.output, 'w')
for m in nmsg_input(nmsg.input.open_file(args.input)):
print >>out, 'count: %d' % m['count']
print >>out, 'time_first: %s' % datetime.datetime.fromtimestamp(m['time_first']).isoformat()
print >>out, 'time_last: %s' % datetime.datetime.fromtimestamp(m['time_last']).isoformat()
if 'response_ip' in m.fields:
print >>out, 'response_ip: %s' % m['response_ip']
print >>out, 'bailiwick: %s' % wdns.domain_to_str(m['bailiwick'])
print >>out, 'rrname: %s' % wdns.domain_to_str(m['rrname'])
print >>out, 'rrclass: %s (%d)' % (wdns.rrclass_to_str(m['rrclass']), m['rrclass'])
print >>out, 'rrtype: %s (%d)' % (wdns.rrtype_to_str(m['rrtype']), m['rrtype'])
print >>out, 'rrttl: %d' % m['rrttl']
for rdata in m['rdata']:
print 'rrdata: %s' % repr(wdns.rdata(rdata, m['rrclass'], m['rrtype']))
print >>out
