else: sport = udp.sport dport = udp.dport data = udp.data except: # Getting TCP metadata try: tcp = ip.tcp if tcp.sport != 53 and tcp.dport != 53: continue else: sport = tcp.sport dport = tcp.dport data = tcp.data continue # haven't added tcp dns support yes, so we'll just continue except: continue break if nmp: break meta = [dec2ip(unpack('>I',ip.src)[0]), sport, dec2ip(unpack('>I',ip.dst)[0]), dport, ip.p, packet[0][0] ] in_queue.put([meta,udp.data]) # vim:tabstop=4:expandtab:shiftwidth=4:smarttab:softtabstop=4:autoindent:smartindent cinwords=if,elif,else,for,while,try,except,finally,def,class
res = {'white':False,'hard':False} if name: ip, ttl = data.an[i].ip, data.an[i].ttl if settings['dns_answer'] == 'On': self.iaq.put([meta,data.an[i].name,ip,'R',ttl]) if not (res['white'] and res['hard']): # known_domains ip support goes here if settings['known_domains'] == 'On': ires = self.blipip(ip) if not ires['white'] and ires['hard'] and ip not in ips: ires['msg'] = 'Domain Resolution Contained Blacklisted IP Address' report = { 'type' :'event','agent' :'known_domains', 'event' :{'agent' :'known_domains','meta':meta, 'res':ires, 'host':dec2ip(unpack('>I',ip)[0])}} if settings['fusion']: self.out_queue.put(report) ips[ip] = '' if settings['known_domains'] == 'On' and name[2] not in doms: report = { 'type' :'event','agent' :'known_domains', 'event' :{'agent' :'known_domains','meta':meta, 'res':res, 'host':name[2]}} if settings['fusion']: self.out_queue.put(report) doms[name[2]] = '' except: pass elif data.an[i].type == dns.DNS_CNAME: # if this is in alias, answer(alias) analysis try: name = domaintools.tld_detect(data.an[i].name)
def analyze(self,meta,data): # Analyze the DNS packet, handle distribution to agents. # Meta = [metadata list format] # Data is a dpkt.dns object try: if data.opcode == dns.DNS_QUERY: # operation is Query or Query Response # DNS Query Analysis if data.qr == dns.DNS_Q: doms = {} for i in xrange(len(data.qd)): # for domain in query list try: name = domaintools.tld_detect(data.qd[i].name)) if settings['blips'] == 'On': res = self.blip(name[2]) else: res = {'white':False,'hard':False} if name: if not (res['white'] and res['hard']): # put [meta,name,'Q'] into derpy.hooves queue ('Q' = query) if settings['hooves'] == 'On': self.inq.put([meta,name,'Q']) # put meta and domain into derpy.dash queue if settings['dash'] == 'On': self.icq.put([meta,name]) # Blips support goes here if settings['blips'] == 'On' and name[2] not in doms: report = { 'type' :'event','agent' :'blips', 'event' :{'agent' :'blips','meta':meta, 'res':res, 'host':name[2]}} if settings['rainbow']: self.out_queue.put(report) doms[name[2]] = '' except: pass # DNS Response analysis elif data.qr == dns.DNS_R: ips,doms = {},{} for i in xrange(len(data.an)): # cycle through answers if data.an[i].cls == dns.DNS_IN: if data.an[i].type == dns.DNS_A: # if answers, answer(ip) and ttl analysis try: name = domaintools.tld_detect(data.an[i].name) if settings['blips'] == 'On': res = self.blip(name[2]) else: res = {'white':False,'hard':False} if name: ip, ttl = data.an[i].ip, data.an[i].ttl if settings['jack'] == 'On': self.iaq.put([meta,data.an[i].name,ip,'R',ttl]) if not (res['white'] and res['hard']): # blips ip support goes here if settings['blips'] == 'On': ires = self.blipip(ip) if not ires['white'] and ires['hard'] and ip not in ips: ires['msg'] = 'Domain Resolution Contained Blacklisted IP Address' report = { 'type' :'event','agent' :'blips', 'event' :{'agent' :'blips','meta':meta, 'res':ires, 'host':dec2ip(unpack('>I',ip)[0])}} if settings['rainbow']: self.out_queue.put(report) ips[ip] = '' if settings['blips'] == 'On' and name[2] not in doms: report = { 'type' :'event','agent' :'blips', 'event' :{'agent' :'blips','meta':meta, 'res':res, 'host':name[2]}} if settings['rainbow']: self.out_queue.put(report) doms[name[2]] = '' except: pass elif data.an[i].type == dns.DNS_CNAME: # if this is in alias, answer(alias) analysis try: name = domaintools.tld_detect(data.an[i].name) cname = domaintools.tld_detect(data.an[i].cname) res = self.blip(cname[2]) if (name and cname) and (data.an[i].name != data.an[i].cname): if settings['jack'] == 'On': self.iaq.put([meta,data.an[i].name,data.an[i].cname,'A']) if res['white'] and res1['hard']: pass else: # [meta,cname,'A'] name analysis ('A'=alias) if settings['hooves'] == 'On': self.inq.put([meta,cname,'A']) except: pass