search

gamelinux / passivedns

A network sniffer that logs all DNS server replies for use in a passive DNS setup
http://gamelinux.org/
1.67k stars 372 forks source link

Have Query and Answer string length #90

Open helmerfud opened 7 years ago

helmerfud commented 7 years ago

hello, is it possible to had Query and Answer string length at the end of the log line. These data will help my security manager to check possible data evasion through DNS request. For a test situation i've had the line to dns.c ` / line: 660/ int qname_len = 0; int answer_len = 0;

/ line: 1103/ / Print query length/ if (config.fieldsf & FIELD_QUERY) { if (offset != 0) qname_len = strlen(l->qname); offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", qname_len); }

    /* Print answer length*/
    if (config.fieldsf & FIELD_ANSWER) {
        if (offset != 0)
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d);
        if (is_err_record) {
            answer_len = strlen(rr_rcode);
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", answer_len);
        }else{
            answer_len = strlen(p->answer);
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", answer_len);
        }
    }

`

but i'm not an experimented programmer in language C. Sorry, i don't understand lot of your code and i'm be able to do the full job.

bye.

gamelinux commented 7 years ago

Though this is trivial to calculate from the current log format, either by prepossessing logs before you push them to your final log storage solution (by kafka etc), or I would guess you can calculate such with say splunk when searching logs etc., I do see that it could be nice if you dont have such fancy setups to have this.

If I get time, I will look at it. A pull request would work to :)

E

gamelinux commented 7 years ago

Check out commit 215e3514df884e4bbf1e548f7b7d1066a51a6ffc Tell me if this works like you expected.

maxtors commented 7 years ago

I would vote against this change. It adds extra computation, and alters the logformat and size. All for something that i think should be calculated further down the pipeline (as previously mentioned by gamelinux). Also, it seams to be outside the scope of what i feel this application is, a slim and to-the-point passive dns collector.

gamelinux commented 7 years ago

I do agree that it is outside what I would like in the core functionality (as the data is kind of there all ready, you just need to calculate it), but adding this would just add a very very little overhead to computation if you don't specify -f with "L" and "l". Its just checking if a flag is set in a very efficient way a few places.

And this will not alter the output format, if you don't manually add "L" and/or "l".

The biggest plus here is that this allows for command line tools like jq to parse the json output etc, and filter on length of domains if you want to hunt for say dns tunneling etc. Also if you have little clue or just short of time, you can push the data into ELK or Splunk etc and use the length field right away, without writing a parser which adds the length before log insert.

Im open for feedback though :)

helmerfud commented 7 years ago

hello, i very thank you for your great job. including my request in your project is, for me, fantastic. It work very fine as i expected.

best regards.