Closed openargus closed 4 months ago
There are 2 modes of operation for radns.1:
We'll need to test that these 2 modes actually do some of the things it wants to do ...
In historical forensics analysis, especially hunting, you will be analyzing a lot of historical IP address data, but to provide the correct context, you need the historical DNS resolution data for the time period of the investigation. So many systems will attempt to do reverse lookups NOW, for IP addresses THEN, and that really isn't helpful.
For these features, running Argus-5.0 in end systems, such as mobile laptops, tablets, vehicles, etc ... generates the DNS data needed for a complete awareness of DNS integrity. You don't have to process the data on the endpoint to get value ... you can collect the data much later, and build the
dns parsing from argus-5.0 control plane capture is working and headed to the main branch. This capability allows you to work with DNS transactions as binary argus records, as well as JSON records. There are a few scripts that will aggregate DNS transactions, with the intention of building a persistent audit of DNS activity, thus the private passive DNS title. Also, there are perl scripts to push JSON data into mysql databases, which can be used to lookup names, TLD, NLD's, by address or by name ... These are perl scripts, that can be easily converted to python, in order to feed some AI/ML work to analyze DNS behavior.
Code does a lot, needs some testing