dns-heuristics

https://github.com/initconf/dns-heuristics
2 3 1 0 Last Push 8/23/23, 6:15 PM

Simple policy to detect DNS anomalies based on thresholds

Following functionality are provided by the script

Installation

zkg install zeek/initconf/dns-thresholds or @load dns-thresholds/scripts

Detailed Notes:

  1. DNS::Thresholds and DNS::Spike:

# total number of lookups per IP per day # acceleration/spike: fastest/quickest threshold reacher

# 1. count all the lookups per IP for 1 min # 2. check if the threshold for above IP is reached - cache the threshold counter for 1 mins # 3. if threshold is hit, increment rate counter by 1 # 4. expire counters and data from tables after 1 min # 5. check if rate_counter > rolling_threshold # if yes - fire alert # 6. Repeat 1, 2, 3, 4 # 7. check if rate_counter has expired, set to zero # loop

  1. Notices on DNS TXT records: DNS::TxtThreshold, DNS::TxtSpike, DNS::VersionBind
  2. DNS Heavy Hitters: DNS::HostThreshold, DNS::QueryThreshold
  3. Flag DNS Zone Transfers (you need to whitelist the allowable IPs): DNS::ZoneTransfer
  4. DNS service records and version Queries.

Detail Alerts and descriptions: Following alerts are generated by the script:

DNS::QueryThreshold DNS::PTRThreshold DNS::TxtThreshold DNS::TxtSpike DNS::VersionBind DNS::HostThreshold DNS::QueryThreshold DNS::ZoneTransfer

Example notice:

Example Summary Notice:

  • DNS::QueryThreshold IP[6.169.199.211], numQueries: 99, uniqQueries: 100, Hosts: 1, Qtype: [Unknown]: 1 [A]: 3 [PTR]: 95
  • DNS::QueryThreshold IP[6.169.199.211], numQueries: 242, uniqQueries: 250, Hosts: 3, Qtype: [Unknown]: 1 [A]: 7 [PTR]: 234
  • DNS::QueryThreshold IP[6.169.199.211], numQueries: 503, uniqQueries: 500, Hosts: 3, Qtype: [Unknown]: 2 [A]: 13 [PTR]: 488
  • DNS::PTRThreshold IP[6.169.199.211] has done 500 look ups: [ptr_counts=500, noerror=174, nxdomain=239, refused=12, servfail=0, unknown=75]
  • DNS::QueryThreshold IP[6.169.199.211], numQueries: 980, uniqQueries: 1000, Hosts: 3, Qtype: [Unknown]: 3 [A]: 21 [PTR]: 956
  • DNS::PTRThreshold IP[6.169.199.211] has done 1000 look ups: [ptr_counts=1000, noerror=360, nxdomain=486, refused=14, servfail=0, unknown=140]
  • DNS::PTRThreshold IP[6.169.199.211] has done 5000 look ups: [ptr_counts=5000, noerror=1796, nxdomain=2433, refused=86, servfail=0, unknown=685]

Package Version :

Script Dir :

scripts

Test Command :

( cd tests && btest -d )