-
Notifications
You must be signed in to change notification settings - Fork 0
/
run_active_dns.sh
executable file
·61 lines (46 loc) · 2.44 KB
/
run_active_dns.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/bin/bash
#This program looks up the hostnames associated with IP addresses in
#your zeek conn logs and generates a fake dns log containing simulated
#DNS records so that RITA and AC-Hunter can associate the hostnames with
#those IP addresses.
#Command line parameter(s): the full path to the directory/directories
#containing your zeek logs. This needs/these need to be writeable as
#the current user so we can add the output DNS log containing the new
#DNS information.
#Please edit this line and replace 8.8.8.8 with the IP address of the
#DNS server to use for these lookups. If you need more than one,
#separate the IP addresses with a space. We do not recommend putting in
#more than 2 dns server IP addresses.
export dns_server='8.8.8.8' #Change the value in single quotes to the IP address of the server containing the PTR, A, and AAAA records for the IP addresses you want.
#If you want to lookup ONLY RFC1918 (aka "internal") IP addresses, edit the egrep command below and remove the " -v" following egrep
#If you want to lookup ONLY NON-RFC1918 (aka "external") IP addresses, edit the egrep command below and make sure there's a " -v" command line option after egrep .
#If you want to lookup ALL IP addresses, remove the egrep line entirely.
#Do not edit this file on a windows system.
#If you make changes, make sure you do not add any characters at all following the "\" character found at the end of some lines.
fail() {
echo "$@ , exiting." >&2
exit 1
}
for app in active_dns_lookup.py db_lib.py egrep gzip justone.py mktemp sed zcutter.py ; do
if ! type -path "$app" >/dev/null 2>&1 ; then
fail "Unable to locate $app , exiting. Please download/install it, make it executable, and place it in your path"
fi
done
while [ -n "$1" ]; do
if [ -d "$1" ]; then
echo "Processing logs in $1"
cd "$1" || fail "Unable to change to directory $1"
tmp_log_file=`mktemp -q -t "run_active_dns.XXXXXX" </dev/null` || fail "Unable to make temporary log file"
zcutter.py id.orig_h id.resp_h -r conn.*.log.gz \
| sed -e 's/\t/\n/' \
| egrep -v '(^10\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^127\.|^[Ff][Ee]80:)' 2>/dev/null \
| justone.py \
| active_dns_lookup.py -s "$dns_server" -z >"$tmp_log_file"
gzip -9 "$tmp_log_file"
mv -f "${tmp_log_file}.gz" ./dns.23:59:58-23:59:59.log.gz || fail "Unable to write new dns log to $1"
cd - >/dev/null 2>/dev/null
else
echo "$1 is not a directory, skipping." >&2
fi
shift
done