Anomalous-DNS

A set of zeek scripts providing a module for tracking and correlating abnormal DNS behavior. Detection of tunneling and C&C through connection duration and volume, request and answer size, DNS request type, and unique queries per domain.

Requirements

domain-tld: https://github.com/sethhall/domain-tld (automatically installed with package)

Installation

zkg install sensorfleet/anomalous-dns

Documentation

Current documentation consists of inline comments.

This version has the following changes over jbaggs version:

support for more aggressive whitelisting: you can whitelist IPs to fully disable all DNS anomaly tracking.

Name		Name	Last commit message	Last commit date
Latest commit History 27 Commits
CHANGES.rst		CHANGES.rst
LICENSE		LICENSE
README.rst		README.rst
__load__.zeek		__load__.zeek
an-dns-connection.zeek		an-dns-connection.zeek
an-dns-domain.zeek		an-dns-domain.zeek
an-dns-oversized.zeek		an-dns-oversized.zeek
an-dns-query_type.zeek		an-dns-query_type.zeek
domain-whitelist.zeek		domain-whitelist.zeek
main.zeek		main.zeek
zkg.meta		zkg.meta

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Anomalous-DNS

Requirements

Installation

Documentation

About

Releases

Packages

Languages

License

sensorfleet/anomalous-dns

Folders and files

Latest commit

History

Repository files navigation

Anomalous-DNS

Requirements

Installation

Documentation

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages