# Check for unknown args if commands: print('Unrecognized args: %s' % commands) sys.exit(1) # Sanity check that this is a dns log if 'x509' not in args.zeek_log: print('This example only works with Zeek x509.log files..') sys.exit(1) # File may have a tilde in it if args.zeek_log: args.zeek_log = os.path.expanduser(args.zeek_log) # Create a VirusTotal Query Class vtq = vt_query.VTQuery() # These domains may be spoofed with a certificate issued by 'Let's Encrypt' spoofed_domains = set(['paypal', 'gmail', 'google', 'apple','ebay', 'amazon']) # Run the zeek reader on the x509.log file looking for spoofed domains reader = zeek_log_reader.ZeekLogReader(args.zeek_log, tail=True) for row in reader.readrows(): # Pull out the Certificate Issuer issuer = row['certificate.issuer'] if "Let's Encrypt" in issuer: # Check if the certificate subject has any spoofed domains subject = row['certificate.subject'] if any([domain in subject for domain in spoofed_domains]):
if 'dns' not in args.zeek_log: print('This example only works with Zeek dns.log files..') sys.exit(1) # File may have a tilde in it if args.zeek_log: args.zeek_log = os.path.expanduser(args.zeek_log) # See if we have a serialized VirusTotal Query Class. # If we do not have one we'll create a new one try: vtq = pickle.load(open('vtq.pkl', 'rb')) print('Opening VirusTotal Query Cache (cache_size={:d})...'.format( vtq.size)) except IOError: vtq = vt_query.VTQuery(max_cache_time=60 * 24 * 7) # One week cache # See our 'Risky Domains' Notebook for the analysis and # statistical methods used to compute this risky set of TLDs risky_tlds = set([ 'info', 'tk', 'xyz', 'online', 'club', 'ru', 'website', 'in', 'ws', 'top', 'site', 'work', 'biz', 'name', 'tech', 'loan', 'win', 'pro' ]) # Launch long lived process with signal catcher with signal_utils.signal_catcher(save_vtq): # Run the zeek reader on the dns.log file looking for risky TLDs reader = zeek_log_reader.ZeekLogReader(args.zeek_log) for row in reader.readrows():