Hello all,
I recently spun up my first Bro instance and I'm trying to find the most
elegant way to alert any time there is a query for a particular set of
malicious domains (ex.
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist) .
Would this be best accomplished with a signature? Would I be better off
writing a hook for Bro's core DNS script?
Any input will be greatly appreciated,
Bob
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
I recently spun up my first Bro instance and I'm trying to find the most
elegant way to alert any time there is a query for a particular set of
malicious domains (ex.
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist) .Would this be best accomplished with a signature? Would I be better off
writing a hook for Bro's core DNS script?Any input will be greatly appreciated,
I do it with a simple hook based on the 1.5.x DNS code. I then use a
perl script to parse a list of domains into a data structure this can
use. Lines in the output of that script look like this:
redef DNS::hostile_domain_list += { "torpig-sinkhole.org",
"riaa.com",
"mpaa.org",
};
And the bro hook code looks like this:
module DNS;
export {
const hostile_domain_list: set[string] &redef;
const okay_to_lookup_hostile_domains: set[addr] &redef;
}
redef okay_to_lookup_hostile_domains = { 192.168.1.1, 192.168.1.2, };
redef enum Notice::Type += {
DNS_Malicious_Domain
};
function second_level_domain(name: string): string
{
local split_on_dots = split(name, /\./);
local num_dots = length(split_on_dots);
if ( num_dots <= 1 )
return name;
return fmt("%s.%s", split_on_dots[num_dots-1],
split_on_dots[num_dots]);
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype:
count, qcla
ss: count) &priority=0
{
if (c$id$orig_h !in okay_to_lookup_hostile_domains)
if (second_level_domain(query) in hostile_domain_list)
local message=fmt("Test: Malware domain %s",query);
NOTICE([$note=DNS_Malicious_Domain,
$msg=message,
$conn=c]);
}