Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Abnormal DNS Lookup Failures
##! DNS Detect Abnormal Number of Lookup Failures
##! watches for hosts recieving an abnormal number of NXDOMAIN DNS Lookup Failures
##! Improvements & derivatives
@load base/protocols/dns
@load base/frameworks/sumstats
@load base/utils/time
module DNS;
export {
redef enum Notice::Type += {
## Indicates a host bruteforcing HTTP Basic Auth logins by watching for too many
## rejected usernames or failed passwords.
## How many rejected usernames or passwords are required before being
## considered to be bruteforcing.
const dns_NXDOMAIN_threshold: double = 50 &redef;
## The time period in which the threshold needs to be crossed before
## being reset.
const dns_NXDOMAIN_interval = 5mins &redef;
event bro_init()
local r1: SumStats::Reducer = [$stream="dns-nxdomain.count", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(dns_NXDOMAIN_threshold+2)];
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
return result["dns-nxdomain.count"]$num+0.0;
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
local r = result["dns-nxdomain.count"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had at least %d NXDOMAIN responses on %d server%s in %s", key$host, r$num, r$unique, plural, dur);
event dns_query_reply(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
if ( msg?$rcode && msg$rcode == 3 ) # 3 = NXDOMAIN
SumStats::observe("dns-nxdomain.count", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment