search

gamelinux / passivedns

A network sniffer that logs all DNS server replies for use in a passive DNS setup
http://gamelinux.org/
1.68k stars 372 forks source link

Can' get pdns2db.pl to alert on queries for static domains in a blacklist file #7

Closed kevin-branch closed 12 years ago

kevin-branch commented 12 years ago

I'm running passivedns 0.3.1 from githib on my Ubuntu 10.04 server (64 bit) and I can't get pdns2db.pl to alert on dns queries that are for static domains in a blacklist file.

Here is what I did:

root@host:~# passivedns -i eth0 -D [] Running passivedns 0.3.1 Using libpcap version 1.0.0 [] Device: eth0 [*] Daemonizing...

root@host:~# pdns2db.pl --alertlog /tmp/alert.log --blacklist /tmp/suspiciousdomainsHigh.txt --daemon [] Starting pdns2db.pl [_] Daemonizing...

I picked a random suspicious domain from /tmp/suspiciousdomains_High.txt (www.alzexa.com) and tried to ping it to generate a pdns db record and hopfully an alert record in /tmp/alert.log. The DNS lookup was successful, and a record made it to the db:

root@host:~# search-pdns.pl -s "www.alzexa.com" === PassiveDNS ===

   FirstSeen     |       LastSeen       |  TYPE |  TTL   |               Query                |  Answer

2012-02-06 18:31:40 | 2012-02-06 18:31:40 | CNAME | 3600 | www.alzexa.com | alzexa.com 2012-02-06 18:31:40 | 2012-02-06 18:31:40 | A | 3600 | www.alzexa.com | 174.36.237.98 Displayed 2 (sql limit: 100)

However, nothing was written to /tmp/alert.log

I confirmed that this static domain is in the blacklist, and it is:

root@host:~# grep "www.alzexa.com" /tmp/suspiciousdomains_High.txt www.alzexa.com

I redid this process with verbosity and logging turned on in pdns2db.pl, and "[D] www.alzexa.com" showed up in the list of static domains loaded at script start time.

And when I checked /var/log/passivedns-run.log for the debug log it seems to think that www.alzexa.com doesn't match

[D] No static match on domain: www.alzexa.com or alzexa.com [D] No pcre match on domain: www.alzexa.com or alzexa.com [D] No static match on domain: www.alzexa.com or alzexa.com [D] No pcre match on domain: www.alzexa.com or alzexa.com [D] No static match on domain: www.alzexa.com or alzexa.com [D] No pcre match on domain: www.alzexa.com or alzexa.com [D] INSERT INTO pdns ( QUERY,RR,MAPTYPE,ANSWER,TTL,LAST_SEEN,FIRST_SEEN ) VALUES ( 'www.alzexa.com','IN','CNAME','alzexa.com','3600',FROM_UNIXTIME(1328571100),FROM_UNIXTIME(1328571100) ) ON DUPLICATE KEY UPDATE LAST_SEEN=FROM_UNIXTIME(1328571100), TTL = '3600'

[D] No static match on domain: www.alzexa.com or 174.36.237.98 [D] No pcre match on domain: www.alzexa.com or 174.36.237.98 [D] No static match on domain: www.alzexa.com or 174.36.237.98 [D] No pcre match on domain: www.alzexa.com or 174.36.237.98 [D] No static match on domain: www.alzexa.com or 174.36.237.98 [D] No pcre match on domain: www.alzexa.com or 174.36.237.98 [D] INSERT INTO pdns ( QUERY,RR,MAPTYPE,ANSWER,TTL,LAST_SEEN,FIRST_SEEN ) VALUES ( 'www.alzexa.com','IN','A','174.36.237.98','3600',FROM_UNIXTIME(1328571100),FROM_UNIXTIME(1328571100) ) ON DUPLICATE KEY UPDATE LAST_SEEN=FROM_UNIXTIME(1328571100), TTL = '3600'

Is there something else I should try next?

gamelinux commented 12 years ago

Hi Kevin,

I would like to inspect your blacklist file :)

Ill look into it from here though.

E

gamelinux commented 12 years ago

Ok, I just did a test here on Ubuntu 10.04 lastest stuff from git. perl pdns2db.pl --blacklist test-blacklist-domains.txt --batch where the file just contains the domain "www.alzexa.com". 1328636763||1.1.1.1||8.8.8.8||IN||www.alzexa.com.||CNAME||alzexa.com.||3524 1328636763||1.1.1.1||8.8.8.8||IN||www.alzexa.com.||A||174.36.237.98||3524 1328636799||1.1.1.1||8.8.8.8||IN||www.alzexa.com.||A||174.36.237.98||3524 1328636799||1.1.1.1||8.8.8.8||IN||www.alzexa.com.||CNAME||alzexa.com.||3524 1328636839||1.1.1.1||8.8.8.8||IN||www.alzexa.com.||CNAME||alzexa.com.||3448 1328636839||1.1.1.1||8.8.8.8||IN||www.alzexa.com.||A||174.36.237.98||3448

Be sure that each line has just the domain, and no extra chars, like space or something. Does that help?

E

kevin-branch commented 12 years ago

I found the problem. Every domain name in the SANS file http://isc.sans.edu/feeds/suspiciousdomains_High.txt ends with "\t\n" rather than the expected "\n". This kind of thing could be handled nicely if pdns2db.pl would clean off leading and trailing white space during blacklist import.

One other small thing I ran into while debugging: Whenever I try to use --verbose with pdns2db.pl it says "Unknown option: verbose" even though "pdns2db.pl -h" shows it as an available option. It appears to just be missing in your call to GetOptions.