Last active
January 11, 2019 09:09
-
-
Save enonethreezed/9f7121f1a6c8b62440147805ffd376a0 to your computer and use it in GitHub Desktop.
Offending domains detector
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
from scapy.all import * | |
import sys | |
import calendar | |
import time | |
import syslog | |
def capturaDNS(paquete): | |
if IP in paquete: | |
ip_origen = paquete[IP].src | |
ip_destino = paquete[IP].dst | |
# Sólo consultas tipo A (valor 1), descartamos las AAAA (valor 28) | |
if paquete.haslayer(DNS) and paquete.getlayer(DNS).qr == 0 and paquete.getlayer(DNS).qd.qtype == 1: | |
if paquete.getlayer(DNS).qd.qname[:-1] in open('dominios.txt').read(): | |
# captura = str(calendar.timegm(time.gmtime())) + "," + str(ip_origen) + "," + str(ip_destino) + "," + paquete.getlayer(DNS).qd.qname | |
# En mi caso da igual el DNS de destino de la consulta. | |
captura = str(calendar.timegm(time.gmtime())) + "," + str(ip_origen) + "," + str(paquete.getlayer(DNS).qd.qname) | |
print captura[:-1] | |
# Configura syslog para el envio a SIEM | |
# syslog.syslog(syslog.LOG_ERR, "Detectado dominio: " + paquete.getlayer(DNS).qd.qname[:-1]) | |
print "Detectado dominio: " + str(paquete.getlayer(DNS).qd.qname[:-1]) | |
sniff( iface ='eth0' , filter = "port 53" , prn = capturaDNS , store = 0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment