[Bro] Blacklist DNS alerting

Lou RUPPERT himself at louruppert.com
Wed Mar 21 09:46:22 PDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/21/2012 12:34 PM, Bob Rotsted wrote:
> Hello all,
>
> I recently spun up my first Bro instance and I'm trying to find the most
> elegant way to alert any time there is a query for a particular set of
> malicious domains (ex.
> https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist) .
>
> Would this be best accomplished with a signature? Would I be better off
> writing a hook for Bro's core DNS script?
>
> Any input will be greatly appreciated,

I do it with a simple hook based on the 1.5.x DNS code.  I then use a
perl script to parse a list of domains into a data structure this can
use.  Lines in the output of that script look like this:

redef DNS::hostile_domain_list += { "torpig-sinkhole.org",
                                                            "riaa.com",
                                                            "mpaa.org",
};

And the bro hook code looks like this:

module DNS;

export {
const hostile_domain_list: set[string] &redef;
const okay_to_lookup_hostile_domains: set[addr] &redef;
}

redef okay_to_lookup_hostile_domains = { 192.168.1.1, 192.168.1.2, };

redef enum Notice::Type += {
        DNS_Malicious_Domain
};

function second_level_domain(name: string): string
        {
        local split_on_dots = split(name, /\./);
        local num_dots = length(split_on_dots);

        if ( num_dots <= 1 )
                return name;

        return fmt("%s.%s", split_on_dots[num_dots-1],
split_on_dots[num_dots]);
        }


event dns_request(c: connection, msg: dns_msg, query: string, qtype:
count, qcla
ss: count) &priority=0
        {
        if (c$id$orig_h !in okay_to_lookup_hostile_domains)
                if (second_level_domain(query) in hostile_domain_list)
                        local message=fmt("Test: Malware domain %s",query);
                        NOTICE([$note=DNS_Malicious_Domain,
                                $msg=message,
                                $conn=c]);

        }

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk9qBd4ACgkQEn9NahFdz2LgHACYn0PsX2IsnD9iYoudCVCx/4mJ
8gCg5dUo9t3eWhtcCL6nhEzMrhVcqkk=
=Bhtk
-----END PGP SIGNATURE-----




More information about the Bro mailing list