Skip to content

Commit

Permalink
Change file structure and delete repeated yaml file already in pdnsso…
Browse files Browse the repository at this point in the history
…c-cli
  • Loading branch information
4quarks committed Sep 19, 2024
1 parent 0d83ee1 commit bb31ab6
Show file tree
Hide file tree
Showing 6 changed files with 190 additions and 0 deletions.
46 changes: 46 additions & 0 deletions config/dnscollector/client.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
################################################
# Collector configuration
################################################
global:
trace:
verbose: false
# Modify with your server ID provided by your destination pDNSSOC server
server-identity: "SERVER_ID"

text-format: "timestamp-rfc3339ns identity operation rcode queryip queryport family protocol length qname qtype latency"
# default text field delimiter
text-format-delimiter: " "
# default text field boundary
text-format-boundary: "\""

multiplexer:
collectors:
- name: sniff
afpacket-sniffer:
device: eth0 # modify with the appropriate interface
port: 53 # modify with the appropriate port
chan-buffer-size: 65535
transforms:
filtering:
log-queries: false
log-replies: true

loggers:
- name: dnstap_pdnssoc
dnstapclient:
remote-address: pdnssoc_server_ip # Modify with the target pdnssoc destination
remote-port: pdnssoc_server_port # Modify accordingly i.e. 7001
connect-timeout: 5
retry-interval: 10
flush-interval: 10
tls-support: false
tls-insecure: false
server-id: "ID_PDNSSOC"
buffer-size: 100
chan-buffer-size: 65535

routes:
- from: [ sniff ] # enable if sniffing with AF_PACKET
# Enable if using dnstap
#- dnstap_socket
to: [ dnstap_pdnssoc ]
15 changes: 15 additions & 0 deletions config/dnscollector/dnscollector.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[Unit]
Description=Go DNS Collector Service
After=network.target

[Service]
ExecStart=/usr/bin/go-dnscollector -config /etc/dnscollector/config.yml
ExecReload=/bin/kill -SIGHUP $MAINPID
KillMode=process
Restart=on-failure
User=dnscollector
Group=dnscollector
WorkingDirectory=/etc/dnscollector

[Install]
WantedBy=multi-user.target
8 changes: 8 additions & 0 deletions config/dnscollector/postrotate_query.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash

BACKUP_FOLDER=/var/dnscollector/queries/$(date +%Y-%m-%d)
mkdir -p $BACKUP_FOLDER

FILE_NAME=$(basename $1 .log)

jq -c '. | {timestamp: .dnstap."timestamp-rfc3339ns", query: .dns.qname, client: .network."query-ip", server: .network."response-ip", client_id: .dnstap.identity , answers: .dns."resource-records".an }' $1 > $BACKUP_FOLDER/$FILE_NAME.json && gzip -S .gz_minified $BACKUP_FOLDER/$FILE_NAME.json
54 changes: 54 additions & 0 deletions config/dnscollector/server.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
################################################
# Collector configuration
################################################
global:
pid-file: "/var/dnscollector/collector.pid"
trace:
verbose: false
server-identity: "pDNSSOC_SERVER"
text-format: "timestamp-rfc3339ns qr identity operation rcode queryip queryport protocol qname qtype name"
# default text field delimiter
text-format-delimiter: " "
# default text field boundary
text-format-boundary: "\""


pipelines:
- name: dnstap
dnstap:
listen-ip: 0.0.0.0
listen-port: 7001
chan-buffer-size: 655350
transforms:
filtering:
log-queries: false
log-replies: true
routing-policy:
forward: [ filelogdomains, filelogips, fileall ]

- name: filelogdomains
logfile:
file-path: /var/dnscollector/matches/matches_domains.json
mode: json
transforms:
filtering:
keep-fqdn-file: '/var/dnscollector/misp_domains.txt'

- name: filelogips
logfile:
file-path: /var/dnscollector/matches/matches_ips.json
mode: json
transforms:
filtering:
keep-rdata-file: '/var/dnscollector/misp_ips.txt'

- name: fileall
logfile:
file-path: /var/dnscollector/queries/queries.json
mode: json
flush-interval: 1
# Tune the size and number of files used for retro searches here:
max-size: 200
max-files: 5
chan-buffer-size: 65535
postrotate-delete-success: true
12 changes: 12 additions & 0 deletions config/pdnssoccli/pdnssoccli.cron
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
LANG=nb_NO.UTF-8
LC_ALL=nb_NO.UTF-8

# Run fetch_iocs every hour
0 */1 * * * root (pdnssoc-cli fetch-iocs && /bin/kill -SIGHUP $(cat /var/dnscollector/collector.pid)) >> /var/log/pdnssoc-cli-fetch-iocs.log 2>&1

# Run correlation & alert every 15min
*/15 * * * * root pdnssoc-cli correlate /var/dnscollector/matches >> /var/log/pdnssoc-cli-correlate.log 2>&1 && pdnssoc-cli alert /var/dnscollector/alerts/ >> /var/log/pdnssoc-cli-alert.log 2>&1

# Retro-active searches every hour, if the system is not overloaded
0 */1 * * * root ([ $(awk '{print $1}' /proc/loadavg) \< 0.5 ] && pdnssoc-cli correlate --retro_disco_lookup /var/dnscollector/queries/) >> /var/log/pdnssoc-cli-retro.log 2>&1

55 changes: 55 additions & 0 deletions config/test_lab/named.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
options {
directory "/var/opt/isc/scls/isc-bind/named/data";
listen-on port 53 { any; };
listen-on-v6 { none; };
allow-query { any; };
recursion yes;
allow-recursion { any; };
# forwarders {
# IP_TO_FORWARDER; # i.e. 8.8.8.8
# };
dnssec-validation no;
dnstap { all; };
dnstap-output file "/var/log/named/dnstap.log" size unlimited;
# response-policy { zone "rpz.local"; };
};

#zone "rpz.local" {
# type master;
# file "/var/opt/isc/scls/isc-bind/named/data/db.rpz";
#};

logging {
channel update_debug {
file "/var/log/named/update_debug.log" versions 3 size 250k;
severity debug;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named/security_info.log" versions 1 size 250k;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel bind_log {
file "/var/log/named/bind.log" versions 3 size 1m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
# channel rpzlog {
# file "/var/log/named/rpz.log" versions unlimited size 1000m;
# print-time yes;
# print-category yes;
# print-severity yes;
# severity info;
# };
category default { bind_log; };
category update { update_debug; };
category update-security { update_debug; };
category security { security_info; };
# category rpz { rpzlog; };
};

0 comments on commit bb31ab6

Please sign in to comment.