Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Abnormal DNS Lookup Failures
##! DNS Detect Abnormal Number of Lookup Failures
##! watches for hosts recieving an abnormal number of NXDOMAIN DNS Lookup Failures
##! Improvements & derivatives
@load base/protocols/dns
@load base/frameworks/sumstats
@load base/utils/time
module DNS;
export {
redef enum Notice::Type += {
## Indicates a host bruteforcing HTTP Basic Auth logins by watching for too many
## rejected usernames or failed passwords.
DNS_high_failure_count
};
## How many rejected usernames or passwords are required before being
## considered to be bruteforcing.
const dns_NXDOMAIN_threshold: double = 50 &redef;
## The time period in which the threshold needs to be crossed before
## being reset.
const dns_NXDOMAIN_interval = 5mins &redef;
}
event bro_init()
{
local r1: SumStats::Reducer = [$stream="dns-nxdomain.count", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(dns_NXDOMAIN_threshold+2)];
SumStats::create([$name="dns-nxdomain-count",
$epoch=dns_NXDOMAIN_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["dns-nxdomain.count"]$num+0.0;
},
$threshold=dns_NXDOMAIN_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["dns-nxdomain.count"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had at least %d NXDOMAIN responses on %d server%s in %s", key$host, r$num, r$unique, plural, dur);
NOTICE([$note=DNS::DNS_high_failure_count,
$src=key$host,
$msg=message,
$identifier=cat(key$host)]);
}]);
}
event dns_query_reply(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
if ( msg?$rcode && msg$rcode == 3 ) # 3 = NXDOMAIN
{
SumStats::observe("dns-nxdomain.count", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment