蘋果小豬研究室
  • 首頁
  • 中譯資料
  • 網路觀念
    • OSGi 平台
    • SCTP 通訊協定簡介
      • 1 多重串流 (Multi-streaming)
      • 2 路徑多宿 (Multi-homing)
      • 3 SACK 機制
      • 4 Path MTU Discovery
      • 5 Ordered/Unordered 傳送機制
      • 6. SCTP API
      • 7. TCP 與 SCTP 通訊協定比較
      • 8. 參考文獻
    • TCP over SCTP tunnel
    • TCP 與 SCTP 協定轉換機制
    • UPnP 與 UPnP AV
  • Linux 程式設計
    • [C] 產生亂數
    • [C] Pointer and array
    • [Script] strncmp
    • [C] Linux 取得 HD 序號
    • [C] 程式範例-切割 subnet
    • C struct 的使用
    • C 目錄相關
    • const 修飾詞
    • Dangling pointer(懸置指標)
    • dnsmole
    • dos2unix 程式碼
    • Function pointer in C
    • GCC header limits.h
    • GDB 參數
    • glibc detected (double free)
    • IEEE 754 and float 範例程式
    • kernel 中的網路卡名稱與命名順序關係
    • Linux 序列埠程式設計
    • loop device 的數目
    • Perl & LWP
    • Remote Control over CGI
    • 偵測 NAT 內部主機連線狀況
    • 利用 libpcap 取得所有的網路裝置名稱
    • 取得時間
    • strncpy
    • 從應用層程式取得傳輸層 TCP 資訊
    • 於 Linux 上撰寫 daemon server 要注意的
    • 為什麼需要 & 0377
    • 研究 setsid()
    • 與 HTTP 協定有關的 RFC
    • 製作 patch 檔
    • 設計在背景執行的 Linux 程式
    • 讀取 STDIN (Standard INPUT) 範例程式
    • 關於 Linux CPU smp_affinity
    • 陣列名稱與指標
  • 網路服務推薦
    • 專案管理工具 - clickup
    • 文件大師 - gitbook
  • glibc 中文手冊
    • GNU C 函式庫常見問題(FAQ)
  • Linux 系統操作
    • /proc/sys/net/ipv4/conf/eth* 目錄中的參數
    • Linux 伺服器效能調校
    • Linux 設定網卡速度
    • Proxy ARP
    • sysrq
    • Turn off beep in Linux system
    • umask()
    • 以 ethtool 查看網路卡狀態及設定
    • 使用 nameif 修改 Linux 網路卡名稱
    • 使用 xhost
    • 利用 sed 取出檔案中某行
    • 在 bash 中設定 Proxy server
    • 在 Linux 系統呈現 dd 的進度
    • 字串取代,使用 awk & sed
    • 尋找多種副檔名
    • 常用 VIM 選項
    • 自動 CPU 調頻節能控制
    • 自動執行程式
    • 設定 Debian 預設啟動服務
    • 設定 DHCPd server
    • 透過 RS-232 操作 Linux console
    • Linux connect to serial port
  • 資訊安全
    • ARP spoofing 技術管控區網流量實例
    • dsniff
    • Linux Socket Filtering
    • Linux 系統安全管理
    • Security 資訊
    • sniffer 相關工具 - IPgrad, tcpick
    • 以 Linux 實務 ARP Spoofing
    • 將文字隱藏於 JPEG 圖檔
    • 資安工具
    • 資安相關網站
    • 限制 localhost 的 P2P 上傳流量
  • 實用工具
    • 實驗基本數據製圖指令 gnuplot
  • 交換連結
  • 網頁設定
  • 網路應用
    • 網路時光機
  • Foldng@Home
  • 文獻推薦
    • 電子書
    • 提問的智慧
    • 好書
  • 隱私政策
Powered by GitBook
On this page
Edit on GitHub
  1. Linux 程式設計

dnsmole

PreviousDangling pointer(懸置指標)Nextdos2unix 程式碼

Last updated 2 years ago

Last updated: 2011/02/22

何為 dnsMole ?


依據官網的說明,dnsMole 的目的是分析 DNS 流量,從 DNS 流量中探測 botnet 的 C&C (Command and Control) 伺服器與受感染的主機。 這段是摘錄自官網的說明

dnsMole is designed to analyse dns traffic, and to potentionaly detect botnet C&C server and infected hosts. It can be used as passive sniffer, and it can analyse already sniffed network traffic dumped in .pcap file format. Algorithms implemented in this tool are based on research and can viewed in following papers:

1. Anomaly detection for DNS Servers using frequent host selection 2. Botnet detection by monitoring group activities in DNS traffic 3. Extending black domain name list by using co-occurrence relation between DNS queres

Since all this methods heavily depends on treshold parameters, you can define your own parameters in dnsMole configuration file and in that way increase ( or decrease :) ) chances of positive detection. dnsMole support storing black/white list in memory and in that way it can help classify hosts.


安裝


1. DNS-mole 的官網 : 2. 筆者的測試環境: Ubuntu Linux 10.04 3. 安裝 DNS-mole,系統需要有安裝 subversion

4. 筆者的系統在安裝過程缺少 sqlite 與 event 等函式庫,需要補安裝

sudo apt-get install libsqlite3-dev libsqlite3-0

sudo apt-get install libevent-core-1.4-2 libevent-dev libevent-1.4-2

5. 可閱讀程式碼中提供的文件獲得基本的安裝與使用說明 dns-mole-read-only/README dnsmole.conf \

#detection based on group activity aAnalyzeInterval 1200 -- interval for collecting dns packets for activity method aDrop 5 -- remove fqdn from structure if it is queried less than n different hosts aBlackSimilarity 0.8 -- report black if similarity is higher or equal aWhiteSimilarity 0.1 -- report white if similarity is less or equal #detection based on host co-occurrence oAnalyzeInterval 600 -- interval for collecting dns packets for co-occurrence method oBlackIpTreshold 0.5 -- report host is infected if ratio (queried_black/queried_all) is higher or equal oWhite 0.1 -- report white if index is less or equal oBlack 0.9 -- report black if index is higher or equal # Subnet where program is going to be run nSubnet 16 -- define subnet where program is running, used for storing hosts ip in hash table #detection based on statistics sThresholdTotal 5 -- the threshold for the number of a host's queries/responses for a time period sThresholdPTR 5 -- for the number of PTR queries sThresholdMX 5 -- for the number of MX queries sThresholdBalance 0.9 -- for the difference between the number of queries and responses sThresholdPTRRate 0.9 -- for the rate of PTR queries sThresholdMXRate 0.9 -- for the rate of MX queries sClassifyInterval 30 -- period to classify queries into host's statistics sAnalyzeInterval 1800 -- the interval to collect data before sending to analyze

dnsMole parameters\

|

dnsMole program parameters ========================== -b <file> and -w <file> - black/white list filename -c <file> - configuration filename -l <file> - define name of log file, if it is not used default dnsmole-log will be used -i <interface> - set interface for sniffing -s - sniffer mode -d - run programm in backgroun -p <file> - use .pcap file for analysis -a <interval> - it MUST be used with method 2 in pcap analysis mode, defines interval of .pcap file -t <1|2|3> - analysis method

| | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

筆者註: analysis method 中的 1, 2, 3 應該對應到 1. Anomaly detection for DNS Servers using frequent host selection 2. Botnet detection by monitoring group activities in DNS traffic 3. Extending black domain name list by using co-occurrence relation between DNS queres How to use dnsmole\

dnsMole requires that you must run program as root in sniffer mode, but otherwise for pcap analysis it isn't required. 1. pcap analysis ~ example.pcap for analysis with method 1 and put in background use bl.txt as blacklist $ dnsmole -c doc/dnsmole.conf -p example.pcap -b bl.txt -t 1 -d ~ example.pcap for analysis with method 2, pcap interval is n, and use bl.txt as blacklist and wl.txt as whitelist $ dnsmole -c doc/dnsmole.conf -p example.pcap -b bl.txt -w wl.txt -t 2 -a n 2. sniffer mode ( root privileges ) ~ use wlan0 as interface with wl.txt as whitelist, define log001 as output log and use method 3, put in background # dnsmole -i wlan0 -s -d -c doc/dnsmole.conf -w wl.txt -l log001 -t 3 3. combined ( root privileges ) ~ first use analysis on example.pcap and than run sniffer in background # dnsmole -t 2 -a n -p example.pcap -w wl.txt -b bl.txt -s -d -i wlan0 -l dnsmoleLog

Port mirror 模式測試 啟動: 1. 建立設定檔 /etc/dnsmole/dnsmole.conf (可使用 source code 中的 doc/dnsmole.conf 範本) 2. 指定流量介面: -i eth1 2. 建立黑名單網域 bl.txt,白名單網域 wl.txt bl.txt 跟 wl.txt 的格式是一行一筆 domain name,如 www.ncku.edu.tw 3. mode 1 ( -t 1)。 4. 啟動 sniffer 模式:-s

# dnsmole -c /etc/dnsmole/dnsmole.conf -i eth1 -b bl.txt -w wl.txt -t 1 -s

若是流量來自 .pcap 檔案,可使用 -p file_name.pcap 指定檔案。

svn checkout dns-mole-read-only

Domain Name System - Mole
http://dns-mole.googlecode.com/svn/trunk/