Created
April 10, 2013 16:33
-
-
Save sethhall/5356234 to your computer and use it in GitHub Desktop.
This is a quick script using the measurement framework in Bro to watch for too many unique DNS requests from a single host. At this point in time this code doesn't even work in git master (but it does work!).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module DNS; | |
export { | |
redef enum Notice::Type += { | |
## We saw a lot of unique DNS requests! | |
DNS::Too_Much_Unique_DNS, | |
}; | |
} | |
event bro_init() | |
{ | |
local r1: Measurement::Reducer = [$stream="dns.request", $apply=set(Measurement::UNIQUE)]; | |
Measurement::create([$epoch=5min, | |
$reducers=set(r1), | |
$threshold_val(key: Measurement::Key, result: Measurement::Result) = | |
{ | |
return result["dns.request"]$unique; | |
}, | |
$threshold_series=vector(150,1000), | |
$threshold_crossed(key: Measurement::Key, result: Measurement::Result) = | |
{ | |
local r = result["dns.request"]; | |
local dur = duration_to_mins_secs(r$end-r$begin); | |
NOTICE([$note=DNS::Too_Much_Unique_DNS, | |
$msg=fmt("%s sent at least %d unique DNS requests in %s", key$host, r$unique, dur), | |
$src=key$host]); | |
}]); | |
} | |
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) | |
{ | |
Measurement::add_data("dns.request", [$host=c$id$orig_h], [$str=query]); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment