zeek-package-detect-DoH

https://github.com/stratosphereips/zeek-package-detect-DoH
4 1 1 0 Last Push 4/12/23, 2:49 PM

Goal

Detect DoH servers by adding a is_DoH field in ssl.log and add timeout to them so that the DoH connection won't take too long

Running Zeek using this script will result in a is_DoH column in ssl.log that is set to true if the destination IP is a DoH server

Example

This command


Will result in the following ```is_DoH``` column ssl.log

![ssl.log]( https://raw.githubusercontent.com/stratosphereips/zeek-package-detect-DoH/main/images/is_DoH_field.png )


The ```is_DoH``` value of IP ```64.20.34.50``` is set to ```T``` because it is a DoH server.

Package Version :

Description :

Detect DoH servers by adding a is_DoH field in ssl.log and add timeout to them so that the DoH connection won't take too long

Tags :

DoH, SSL, zeek plugin, dns, features extraction