LiamRandall/gist:7339749

## gistfile1.txt
##! DNS Detect Abnormal Number of Lookup Failures

##!                watches for hosts recieving an abnormal number of NXDOMAIN DNS Lookup Failures

##!        Improvements & derivatives

@load base/protocols/dns
@load base/frameworks/sumstats

@load base/utils/time

module DNS;

export {
        redef enum Notice::Type += {
                ## Indicates a host bruteforcing HTTP Basic Auth logins by watching for too many
                ## rejected usernames or failed passwords.
                DNS_high_failure_count
        };

        ## How many rejected usernames or passwords are required before being
        ## considered to be bruteforcing.
        const dns_NXDOMAIN_threshold: double = 50 &redef;

        ## The time period in which the threshold needs to be crossed before
        ## being reset.
        const dns_NXDOMAIN_interval = 5mins &redef;
}


event bro_init()
        {
        local r1: SumStats::Reducer = [$stream="dns-nxdomain.count", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(dns_NXDOMAIN_threshold+2)];
        SumStats::create([$name="dns-nxdomain-count",
                          $epoch=dns_NXDOMAIN_interval,
                          $reducers=set(r1),
                          $threshold_val(key: SumStats::Key, result: SumStats::Result) =
                                  {
                                  return result["dns-nxdomain.count"]$num+0.0;
                                  },
                          $threshold=dns_NXDOMAIN_threshold,
                          $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
                                  {
                                  local r = result["dns-nxdomain.count"];
                                  local dur = duration_to_mins_secs(r$end-r$begin);
                                  local plural = r$unique>1 ? "s" : "";
                                  local message = fmt("%s had at least %d NXDOMAIN responses on %d server%s in %s", key$host, r$num, r$unique, plural, dur);
                                  NOTICE([$note=DNS::DNS_high_failure_count,
                                          $src=key$host,
                                          $msg=message,
                                          $identifier=cat(key$host)]);
                                  }]);
        }
event dns_query_reply(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
        {
        if ( msg?$rcode && msg$rcode == 3 ) # 3 = NXDOMAIN
                {
                        SumStats::observe("dns-nxdomain.count", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
                }
        }
	##! DNS Detect Abnormal Number of Lookup Failures

	##! watches for hosts recieving an abnormal number of NXDOMAIN DNS Lookup Failures

	##! Improvements & derivatives

	@load base/protocols/dns
	@load base/frameworks/sumstats

	@load base/utils/time

	module DNS;

	export {
	redef enum Notice::Type += {
	## Indicates a host bruteforcing HTTP Basic Auth logins by watching for too many
	## rejected usernames or failed passwords.
	DNS_high_failure_count
	};

	## How many rejected usernames or passwords are required before being
	## considered to be bruteforcing.
	const dns_NXDOMAIN_threshold: double = 50 &redef;

	## The time period in which the threshold needs to be crossed before
	## being reset.
	const dns_NXDOMAIN_interval = 5mins &redef;
	}


	event bro_init()
	{
	local r1: SumStats::Reducer = [$stream="dns-nxdomain.count", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(dns_NXDOMAIN_threshold+2)];
	SumStats::create([$name="dns-nxdomain-count",
	$epoch=dns_NXDOMAIN_interval,
	$reducers=set(r1),
	$threshold_val(key: SumStats::Key, result: SumStats::Result) =
	{
	return result["dns-nxdomain.count"]$num+0.0;
	},
	$threshold=dns_NXDOMAIN_threshold,
	$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
	{
	local r = result["dns-nxdomain.count"];
	local dur = duration_to_mins_secs(r$end-r$begin);
	local plural = r$unique>1 ? "s" : "";
	local message = fmt("%s had at least %d NXDOMAIN responses on %d server%s in %s", key$host, r$num, r$unique, plural, dur);
	NOTICE([$note=DNS::DNS_high_failure_count,
	$src=key$host,
	$msg=message,
	$identifier=cat(key$host)]);
	}]);
	}
	event dns_query_reply(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
	{
	if ( msg?$rcode && msg$rcode == 3 ) # 3 = NXDOMAIN
	{
	SumStats::observe("dns-nxdomain.count", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
	}
	}