[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection
Victor Julien
victor at inliniac.net
Tue Mar 20 09:08:04 UTC 2012
On 03/19/2012 07:54 PM, Edward Fjellskål wrote:
> I did some work on passivedns this weekend, and I have a branch
> that now catches and logs nxdomains for testing.
>
> In passivedns I use libldns from nlnetlabs.nl, which makes parsing dns
> traffic easier :)
> That might be a lib to consider if one wants to implement something
> like a dns-preprocessor.
>
> Example output from e2d5d6ce50cf0a6b816e0f2aa7c35970 and its traffic:
> (From passivedns)
>
> ...
> #timestamp||dns-client||dns-server||RR class||Query||Query Type||Answer||TTL
> 1326607865||192.168.X.Y||1.2.3.4||IN||cicavemejih.eu.||A||NXDOMAIN||0
> 1326607865||192.168.X.Y||1.2.3.4||IN||tuwiduqotug.eu.||A||NXDOMAIN||0
> 1326607865||192.168.X.Y||1.2.3.4||IN||xuqotujodaz.eu.||A||NXDOMAIN||0
> 1326607865||192.168.X.Y||1.2.3.4||IN||kepyxujycaz.eu.||A||NXDOMAIN||0
> 1326607865||192.168.X.Y||1.2.3.4||IN||magowymafum.eu.||A||NXDOMAIN||0
> ...
Interesting. Do you have a link to your implementation so I can see how
you integrated the lib?
I do see a problem with the lib though. It seems to be BSD licensed,
which is good, but it also depends on OpenSSL which is considered to
have an GPL incompatible license.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list