-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change file structure and delete repeated yaml file already in pdnsso…
…c-cli
- Loading branch information
4quarks
committed
Sep 19, 2024
1 parent
0d83ee1
commit bb31ab6
Showing
6 changed files
with
190 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
################################################ | ||
# Collector configuration | ||
################################################ | ||
global: | ||
trace: | ||
verbose: false | ||
# Modify with your server ID provided by your destination pDNSSOC server | ||
server-identity: "SERVER_ID" | ||
|
||
text-format: "timestamp-rfc3339ns identity operation rcode queryip queryport family protocol length qname qtype latency" | ||
# default text field delimiter | ||
text-format-delimiter: " " | ||
# default text field boundary | ||
text-format-boundary: "\"" | ||
|
||
multiplexer: | ||
collectors: | ||
- name: sniff | ||
afpacket-sniffer: | ||
device: eth0 # modify with the appropriate interface | ||
port: 53 # modify with the appropriate port | ||
chan-buffer-size: 65535 | ||
transforms: | ||
filtering: | ||
log-queries: false | ||
log-replies: true | ||
|
||
loggers: | ||
- name: dnstap_pdnssoc | ||
dnstapclient: | ||
remote-address: pdnssoc_server_ip # Modify with the target pdnssoc destination | ||
remote-port: pdnssoc_server_port # Modify accordingly i.e. 7001 | ||
connect-timeout: 5 | ||
retry-interval: 10 | ||
flush-interval: 10 | ||
tls-support: false | ||
tls-insecure: false | ||
server-id: "ID_PDNSSOC" | ||
buffer-size: 100 | ||
chan-buffer-size: 65535 | ||
|
||
routes: | ||
- from: [ sniff ] # enable if sniffing with AF_PACKET | ||
# Enable if using dnstap | ||
#- dnstap_socket | ||
to: [ dnstap_pdnssoc ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
[Unit] | ||
Description=Go DNS Collector Service | ||
After=network.target | ||
|
||
[Service] | ||
ExecStart=/usr/bin/go-dnscollector -config /etc/dnscollector/config.yml | ||
ExecReload=/bin/kill -SIGHUP $MAINPID | ||
KillMode=process | ||
Restart=on-failure | ||
User=dnscollector | ||
Group=dnscollector | ||
WorkingDirectory=/etc/dnscollector | ||
|
||
[Install] | ||
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/bash | ||
|
||
BACKUP_FOLDER=/var/dnscollector/queries/$(date +%Y-%m-%d) | ||
mkdir -p $BACKUP_FOLDER | ||
|
||
FILE_NAME=$(basename $1 .log) | ||
|
||
jq -c '. | {timestamp: .dnstap."timestamp-rfc3339ns", query: .dns.qname, client: .network."query-ip", server: .network."response-ip", client_id: .dnstap.identity , answers: .dns."resource-records".an }' $1 > $BACKUP_FOLDER/$FILE_NAME.json && gzip -S .gz_minified $BACKUP_FOLDER/$FILE_NAME.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
################################################ | ||
# Collector configuration | ||
################################################ | ||
global: | ||
pid-file: "/var/dnscollector/collector.pid" | ||
trace: | ||
verbose: false | ||
server-identity: "pDNSSOC_SERVER" | ||
text-format: "timestamp-rfc3339ns qr identity operation rcode queryip queryport protocol qname qtype name" | ||
# default text field delimiter | ||
text-format-delimiter: " " | ||
# default text field boundary | ||
text-format-boundary: "\"" | ||
|
||
|
||
pipelines: | ||
- name: dnstap | ||
dnstap: | ||
listen-ip: 0.0.0.0 | ||
listen-port: 7001 | ||
chan-buffer-size: 655350 | ||
transforms: | ||
filtering: | ||
log-queries: false | ||
log-replies: true | ||
routing-policy: | ||
forward: [ filelogdomains, filelogips, fileall ] | ||
|
||
- name: filelogdomains | ||
logfile: | ||
file-path: /var/dnscollector/matches/matches_domains.json | ||
mode: json | ||
transforms: | ||
filtering: | ||
keep-fqdn-file: '/var/dnscollector/misp_domains.txt' | ||
|
||
- name: filelogips | ||
logfile: | ||
file-path: /var/dnscollector/matches/matches_ips.json | ||
mode: json | ||
transforms: | ||
filtering: | ||
keep-rdata-file: '/var/dnscollector/misp_ips.txt' | ||
|
||
- name: fileall | ||
logfile: | ||
file-path: /var/dnscollector/queries/queries.json | ||
mode: json | ||
flush-interval: 1 | ||
# Tune the size and number of files used for retro searches here: | ||
max-size: 200 | ||
max-files: 5 | ||
chan-buffer-size: 65535 | ||
postrotate-delete-success: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
LANG=nb_NO.UTF-8 | ||
LC_ALL=nb_NO.UTF-8 | ||
|
||
# Run fetch_iocs every hour | ||
0 */1 * * * root (pdnssoc-cli fetch-iocs && /bin/kill -SIGHUP $(cat /var/dnscollector/collector.pid)) >> /var/log/pdnssoc-cli-fetch-iocs.log 2>&1 | ||
|
||
# Run correlation & alert every 15min | ||
*/15 * * * * root pdnssoc-cli correlate /var/dnscollector/matches >> /var/log/pdnssoc-cli-correlate.log 2>&1 && pdnssoc-cli alert /var/dnscollector/alerts/ >> /var/log/pdnssoc-cli-alert.log 2>&1 | ||
|
||
# Retro-active searches every hour, if the system is not overloaded | ||
0 */1 * * * root ([ $(awk '{print $1}' /proc/loadavg) \< 0.5 ] && pdnssoc-cli correlate --retro_disco_lookup /var/dnscollector/queries/) >> /var/log/pdnssoc-cli-retro.log 2>&1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
options { | ||
directory "/var/opt/isc/scls/isc-bind/named/data"; | ||
listen-on port 53 { any; }; | ||
listen-on-v6 { none; }; | ||
allow-query { any; }; | ||
recursion yes; | ||
allow-recursion { any; }; | ||
# forwarders { | ||
# IP_TO_FORWARDER; # i.e. 8.8.8.8 | ||
# }; | ||
dnssec-validation no; | ||
dnstap { all; }; | ||
dnstap-output file "/var/log/named/dnstap.log" size unlimited; | ||
# response-policy { zone "rpz.local"; }; | ||
}; | ||
|
||
#zone "rpz.local" { | ||
# type master; | ||
# file "/var/opt/isc/scls/isc-bind/named/data/db.rpz"; | ||
#}; | ||
|
||
logging { | ||
channel update_debug { | ||
file "/var/log/named/update_debug.log" versions 3 size 250k; | ||
severity debug; | ||
print-severity yes; | ||
print-time yes; | ||
}; | ||
channel security_info { | ||
file "/var/log/named/security_info.log" versions 1 size 250k; | ||
severity info; | ||
print-category yes; | ||
print-severity yes; | ||
print-time yes; | ||
}; | ||
channel bind_log { | ||
file "/var/log/named/bind.log" versions 3 size 1m; | ||
severity info; | ||
print-category yes; | ||
print-severity yes; | ||
print-time yes; | ||
}; | ||
# channel rpzlog { | ||
# file "/var/log/named/rpz.log" versions unlimited size 1000m; | ||
# print-time yes; | ||
# print-category yes; | ||
# print-severity yes; | ||
# severity info; | ||
# }; | ||
category default { bind_log; }; | ||
category update { update_debug; }; | ||
category update-security { update_debug; }; | ||
category security { security_info; }; | ||
# category rpz { rpzlog; }; | ||
}; |