├── COPYING ├── README.md ├── __load__.bro ├── bro-pkg.meta └── scripts ├── __load__.bro └── main.bro /COPYING: -------------------------------------------------------------------------------- 1 | Copyright (c) 2017, hhzzk 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | (1) Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | 10 | (2) Redistributions in binary form must reproduce the above copyright 11 | notice, this list of conditions and the following disclaimer in the 12 | documentation and/or other materials provided with the distribution. 13 | 14 | (3) Neither the name of the International Computer Science Institute, 15 | nor the names of contributors may be used to endorse or promote 16 | products derived from this software without specific prior 17 | written permission. 18 | 19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 23 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 | POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # dns-tunnels 2 | 3 | This script is used to detect [DNS tunnels](http://heyoka.sourceforge.net/heyoka-shakacon2009.pdf), and written according to the paper [_Chimera: A Declarative Language for Streaming Network Traffic Analysis_](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final116.pdf) and the report [_Detecting DNS Tunneling_](https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152). 4 | 5 | It based on the count of the DNS query in a period time, the length of the DNS query, and the percentage of the numerical characters in the DNS query. 6 | 7 | This rep is used for [Bro package](https://github.com/hhzzk/packages). 8 | -------------------------------------------------------------------------------- /__load__.bro: -------------------------------------------------------------------------------- 1 | @load ./scripts -------------------------------------------------------------------------------- /bro-pkg.meta: -------------------------------------------------------------------------------- 1 | [package] 2 | description = Detect DNS Tunnels attack. 3 | tags = DNS, DNS Tunnels, DNS Tunneling 4 | version = 1.0.0 5 | script_dir = scripts 6 | -------------------------------------------------------------------------------- /scripts/__load__.bro: -------------------------------------------------------------------------------- 1 | 2 | @load ./main 3 | -------------------------------------------------------------------------------- /scripts/main.bro: -------------------------------------------------------------------------------- 1 | # Script for detecting DNS Tunnels attack 2 | 3 | @load base/frameworks/notice 4 | 5 | module DNS_TUNNELS; 6 | 7 | export { 8 | 9 | redef enum Notice::Type += { 10 | 11 | ## The volume of the requests is bigger than the threshold. 12 | RequestCountOverload, 13 | 14 | ## The count of numeral of the request is overmuch. 15 | OvermuchNumber, 16 | 17 | ## DNS tunnels attack 18 | DnsTunnelsAttack 19 | 20 | }; 21 | 22 | ## The threshold of the request count in a certain period. 23 | ## When the volume of the requests of a specific host is 24 | ## bigger than this threshold, we consider the host is attacked. 25 | const request_count_threshold = 100 &redef; 26 | 27 | ## The legal threshold of the query length 28 | const query_len_threshold = 27 &redef; 29 | 30 | ## The legal percentage of numeral in the query 31 | const percentage_of_num_count = 0.2 &redef; 32 | 33 | ## The expired time of the record 34 | const record_expiration = 5min &redef; 35 | 36 | } 37 | 38 | # Map client ip to query count 39 | global cq_table: table[addr] of count &read_expire = record_expiration; 40 | 41 | event DNS_TUNNELS::dns_request(c:connection, msg: dns_msg, query: string, qtype: count, qclass: count) 42 | { 43 | if(query == "") 44 | return; 45 | 46 | local query_len = |query|; 47 | local count_of_num = 0; 48 | 49 | local src_ip = c$id$orig_h; 50 | if(src_ip in cq_table) 51 | { 52 | if(cq_table[src_ip]+1 > request_count_threshold) 53 | { 54 | NOTICE([$note = RequestCountOverload, 55 | $conn = c, 56 | $msg = fmt("The host %s is overloaded", src_ip) 57 | ]); 58 | delete cq_table[src_ip]; 59 | return; 60 | } 61 | else 62 | { 63 | cq_table[src_ip] += 1; 64 | 65 | # If the length of the query is bgiger than the threshold, 66 | # we consider this is a suspicious packet and do the DPI. 67 | local num_string = "0123456789"; 68 | local num_count = 0; 69 | if(query_len > query_len_threshold) 70 | { 71 | for (i in query) 72 | { 73 | # Calculate numeral count 74 | if (i in num_string) 75 | num_count += 1; 76 | } 77 | # The operator "/" will drop the fractional part, so we time 10 78 | if(num_count*10 / query_len > percentage_of_num_count) 79 | { 80 | NOTICE([$note = OvermuchNumber, 81 | $conn = c, 82 | $msg = fmt("The numeral in reques is overmuch") 83 | ]); 84 | return; 85 | } 86 | } 87 | } 88 | } 89 | else 90 | { 91 | cq_table[src_ip] = 0; 92 | } 93 | } 94 | --------------------------------------------------------------------------------