def DNSRequestObj(dnsinfo):
networkconnection = NetworkConnection()
networkconnection.layer3_protocol = "IPv4"
networkconnection.layer4_protocol = "UDP"
networkconnection.layer7_protocol = "DNS"
ssocketaddress = SocketAddress()
sport = Port()
sport.port_value = dnsinfo[1]
sport.layer4_protocol = "UDP"
ssocketaddress.port = sport
networkconnection.source_socket_address = ssocketaddress
dsocketaddress = SocketAddress()
dsocketaddress.ip_address = dnsinfo[2]
dport = Port()
dport.port_value = dnsinfo[3]
dport.layer4_protocol = "UDP"
dsocketaddress.port = dport
networkconnection.destination_socket_address = dsocketaddress
layer7connections = Layer7Connections()
dqr = DNSQuery()
indicator = Indicator()
dnsques = DNSQuestion()
dnsques.qname = dnsinfo[4]
dnsques.qtype = translateType(dnsinfo[5])
dqr.question = dnsques
indicator.title = "DNS Request"
indicator.description = (
"An indicator containing information about a DNS Request")
layer7connections.dns_query = dqr
networkconnection.layer7_connections = layer7connections
indicator.set_produced_time(utils.dates.now())
indicator.add_object(networkconnection)
return indicator
def __create_dns_query_object(self, domain, record_type, nameserver=None):
"""Creates a CybOX DNSQueryType Object"""
question = DNSQuestion()
question.qname = self.__create_domain_name_object(domain)
question.qtype = String(record_type)
question.qclass = String('IN')
query = DNSQuery()
query.successful = False
query.question = question
return query
def __create_cybox_dns_queries(self, hdict, whitelist):
queries = []
already_requested = []
for entry in hdict:
if entry['request'].strip() not in already_requested:
question = DNSQuestion()
question.qname = self.__create_cybox_domain_object(entry['request'].strip(), whitelist)
if not question.qname:
continue
question.qtype = String(entry['type'].strip())
question.qclass = String("IN")
query = DNSQuery()
query.successful = False
query.question = question
queries.append(query)
already_requested.append(entry['request'].strip())
return queries