# Check for unknown args
if commands:
print('Unrecognized args: %s' % commands)
sys.exit(1)
# Sanity check that this is a dns log
if 'x509' not in args.zeek_log:
print('This example only works with Zeek x509.log files..')
sys.exit(1)
# File may have a tilde in it
if args.zeek_log:
args.zeek_log = os.path.expanduser(args.zeek_log)
# Create a VirusTotal Query Class
vtq = vt_query.VTQuery()
# These domains may be spoofed with a certificate issued by 'Let's Encrypt'
spoofed_domains = set(['paypal', 'gmail', 'google', 'apple','ebay', 'amazon'])
# Run the zeek reader on the x509.log file looking for spoofed domains
reader = zeek_log_reader.ZeekLogReader(args.zeek_log, tail=True)
for row in reader.readrows():
# Pull out the Certificate Issuer
issuer = row['certificate.issuer']
if "Let's Encrypt" in issuer:
# Check if the certificate subject has any spoofed domains
subject = row['certificate.subject']
if any([domain in subject for domain in spoofed_domains]):
if 'dns' not in args.zeek_log:
print('This example only works with Zeek dns.log files..')
sys.exit(1)
# File may have a tilde in it
if args.zeek_log:
args.zeek_log = os.path.expanduser(args.zeek_log)
# See if we have a serialized VirusTotal Query Class.
# If we do not have one we'll create a new one
try:
vtq = pickle.load(open('vtq.pkl', 'rb'))
print('Opening VirusTotal Query Cache (cache_size={:d})...'.format(
vtq.size))
except IOError:
vtq = vt_query.VTQuery(max_cache_time=60 * 24 *
7) # One week cache
# See our 'Risky Domains' Notebook for the analysis and
# statistical methods used to compute this risky set of TLDs
risky_tlds = set([
'info', 'tk', 'xyz', 'online', 'club', 'ru', 'website', 'in', 'ws',
'top', 'site', 'work', 'biz', 'name', 'tech', 'loan', 'win', 'pro'
])
# Launch long lived process with signal catcher
with signal_utils.signal_catcher(save_vtq):
# Run the zeek reader on the dns.log file looking for risky TLDs
reader = zeek_log_reader.ZeekLogReader(args.zeek_log)
for row in reader.readrows():
