/tunviz

DNS Tunnel Detection

Primary LanguagePython

tunviz.py

DNS Tunnel Detection

Introduction

This application parses a DNS server log entry and looks for signs of DNS Tunnel Activity through the very complicated method of filtering out the crap you don't want and counting the rest.

Requirements

TLDextract is required. Get it at: https://github.com/john-kurkowski/tldextract

Instructions

Command-line arguments
python tunviz.py [-dfq][-b int][-i input_file] -c config_file

-b int          Set how many seconds between beacons (default:5)
-c filename     Location of the config file (default:default.cfg)  
-d              Enable debug mode (default:False)
-f              Use Addtional Noise Filtering (default:False)
-i filename     Location of the file to parse (default:None)
-q              Quiet Mode, only results output (default:False)
Example

python tunviz.py -d -f -b 60 -i log.txt -c default.cfg

It can also take stdin as an input:

cat log1.txt log2.txt | python tunviz.py -q -c default.cfg

Config File

The config file has 2 types of sections, General and Parser

The General section can configure beacon and addtional filter values, but the command-line argument will override them.

The Parser sections contain the following values:

  • regex: This is a regular expression that is used to parse a log line into the following fields: date_time, status, query_type and question
  • date_time: This is an INT representing the regex capture group that contains the date and time
  • date_time_format: This is the strptime encoded format that the date_time field is in. See http://pubs.opengroup.org/onlinepubs/009695399/functions/strptime.html for more information. Note: ConfigParser requires '%' symbols to be escaped by another '%'. See default.cfg for an example.
  • status: This is an INT representing the regex capture group that contains the status of the DNS Request. (e.g. NOERROR or NXDOMAIN)
  • query_type: This is an INT representing the regex capture group that contains the type of query. (e.g. A, AAAA, MX, CNAME, etc.)
  • question: This is an INT representing the regex capture group that contains the FQDN that was requested. In Windows DNS logs, this entry looks like (3)www(6)google(3)com(0). The script can handle this case.