Suspicious ARPA Query

A tiny Zeek package to create a notice.log entry when a non-PTR lookup is observed for a query ending with .ip6.arpa or .in-addr.arpa.

$ zeek -r ./testing/Traces/a-in-arpa.pcap ./scripts/ LogAscii::use_json=T
$ jq < notice.log
{
  "ts": 1773826068.290365,
  ...
  "proto": "udp",
  "note": "SuspiciousArpa::Query_In_Reverse_Zone",
  "msg": "AAAA query for 209.148.201.195.in-addr.arpa (C_INTERNET)",
  ...

Based on Infoblox Blog's Abusing .arpa: The TLD That Isn’t Supposed to Host Anything article.

Installation

zkg install suspicious-arpa-query