[Oisf-devel] PREPROCESSOR IDEA: Reliable Fast Flux Detection

Edward Fjellskål edwardfjellskaal at gmail.com
Tue Mar 20 09:23:41 UTC 2012


On 03/20/2012 10:08 AM, Victor Julien wrote:
> On 03/19/2012 07:54 PM, Edward Fjellskål wrote:
>> I did some work on passivedns this weekend, and I have a branch
>> that now catches and logs nxdomains for testing.
>>
>> In passivedns I use libldns from nlnetlabs.nl, which makes parsing dns
>> traffic easier :)
>> That might be a lib to consider if one wants to implement something
>> like a dns-preprocessor.
>>
>> Example output from e2d5d6ce50cf0a6b816e0f2aa7c35970 and its traffic:
>> (From passivedns)
>>
>> ...
>> #timestamp||dns-client||dns-server||RR class||Query||Query Type||Answer||TTL
>> 1326607865||192.168.X.Y||1.2.3.4||IN||cicavemejih.eu.||A||NXDOMAIN||0
>> 1326607865||192.168.X.Y||1.2.3.4||IN||tuwiduqotug.eu.||A||NXDOMAIN||0
>> 1326607865||192.168.X.Y||1.2.3.4||IN||xuqotujodaz.eu.||A||NXDOMAIN||0
>> 1326607865||192.168.X.Y||1.2.3.4||IN||kepyxujycaz.eu.||A||NXDOMAIN||0
>> 1326607865||192.168.X.Y||1.2.3.4||IN||magowymafum.eu.||A||NXDOMAIN||0
>> ...
> Interesting. Do you have a link to your implementation so I can see how
> you integrated the lib?
>
> I do see a problem with the lib though. It seems to be BSD licensed,
> which is good, but it also depends on OpenSSL which is considered to
> have an GPL incompatible license.
>

https://github.com/gamelinux/passivedns



More information about the Oisf-devel mailing list