forked from sethhall/bro-domain-generation
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.bro
41 lines (32 loc) · 1.27 KB
/
main.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
##! Domain generation algorithm infrastructure and detections.
##!
##! Requires: Bro 2.1+
##! Author: Seth Hall <[email protected]>
##!
@load base/frameworks/notice
module DomainGeneration;
export {
## For daily DGAs, the day offsets that you would like to generate names for.
## Domain names for all of the hour offsets specified will be generated.
const day_offsets: set[interval] = set(-1days,0days,1days) &redef;
## For hourly DGAs, the hour offsets that you would like to generate names for.
## Domain names for all of the hour offsets specified will be generated.
const hour_offsets: set[interval] = set(-2hrs,-1hrs,0hrs,1hrs,2hrs) &redef;
redef enum Notice::Type += {
## A computed name from a domain generation algorithm was detected.
Computed_Domain_Detected
};
## The "kit" associated with the domain generation algorithm.
type Kit: enum { EMPTY };
const domains: table[string] of Kit = table();
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
if ( query in DomainGeneration::domains )
{
NOTICE([$note=DomainGeneration::Computed_Domain_Detected,
$msg=fmt("%s requested a domain (%s) generated by %s.", c$id$orig_h, query, domains[query]),
$sub=cat(domains[query]),
$conn=c]);
}
}