[Bro] Blacklist DNS alerting
Lou RUPPERT
himself at louruppert.com
Wed Mar 21 09:46:22 PDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/21/2012 12:34 PM, Bob Rotsted wrote:
> Hello all,
>
> I recently spun up my first Bro instance and I'm trying to find the most
> elegant way to alert any time there is a query for a particular set of
> malicious domains (ex.
> https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist) .
>
> Would this be best accomplished with a signature? Would I be better off
> writing a hook for Bro's core DNS script?
>
> Any input will be greatly appreciated,
I do it with a simple hook based on the 1.5.x DNS code. I then use a
perl script to parse a list of domains into a data structure this can
use. Lines in the output of that script look like this:
redef DNS::hostile_domain_list += { "torpig-sinkhole.org",
"riaa.com",
"mpaa.org",
};
And the bro hook code looks like this:
module DNS;
export {
const hostile_domain_list: set[string] &redef;
const okay_to_lookup_hostile_domains: set[addr] &redef;
}
redef okay_to_lookup_hostile_domains = { 192.168.1.1, 192.168.1.2, };
redef enum Notice::Type += {
DNS_Malicious_Domain
};
function second_level_domain(name: string): string
{
local split_on_dots = split(name, /\./);
local num_dots = length(split_on_dots);
if ( num_dots <= 1 )
return name;
return fmt("%s.%s", split_on_dots[num_dots-1],
split_on_dots[num_dots]);
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype:
count, qcla
ss: count) &priority=0
{
if (c$id$orig_h !in okay_to_lookup_hostile_domains)
if (second_level_domain(query) in hostile_domain_list)
local message=fmt("Test: Malware domain %s",query);
NOTICE([$note=DNS_Malicious_Domain,
$msg=message,
$conn=c]);
}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEUEARECAAYFAk9qBd4ACgkQEn9NahFdz2LgHACYn0PsX2IsnD9iYoudCVCx/4mJ
8gCg5dUo9t3eWhtcCL6nhEzMrhVcqkk=
=Bhtk
-----END PGP SIGNATURE-----
More information about the Bro
mailing list