passivedns icon indicating copy to clipboard operation
passivedns copied to clipboard

Published 20 hours ago verified publisher icon gamelinux

Have Query and Answer string length

Open helmerfud opened this issue 7 years ago • 5 comments

hello, is it possible to had Query and Answer string length at the end of the log line. These data will help my security manager to check possible data evasion through DNS request. For a test situation i've had the line to dns.c ` /* line: 660*/ int qname_len = 0; int answer_len = 0;

/* line: 1103*/ /* Print query length*/ if (config.fieldsf & FIELD_QUERY) { if (offset != 0) qname_len = strlen(l->qname); offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", qname_len); }

    /* Print answer length*/
    if (config.fieldsf & FIELD_ANSWER) {
        if (offset != 0)
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d);
        if (is_err_record) {
            answer_len = strlen(rr_rcode);
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", answer_len);
        }else{
            answer_len = strlen(p->answer);
            offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", answer_len);
        }
    }

`

but i'm not an experimented programmer in language C. Sorry, i don't understand lot of your code and i'm be able to do the full job.

bye.

helmerfud avatar Mar 03 '17 16:03 helmerfud

Though this is trivial to calculate from the current log format, either by prepossessing logs before you push them to your final log storage solution (by kafka etc), or I would guess you can calculate such with say splunk when searching logs etc., I do see that it could be nice if you dont have such fancy setups to have this.

If I get time, I will look at it. A pull request would work to :)

E

gamelinux avatar Mar 16 '17 14:03 gamelinux

Check out commit 215e3514df884e4bbf1e548f7b7d1066a51a6ffc Tell me if this works like you expected.

gamelinux avatar Mar 16 '17 21:03 gamelinux

I would vote against this change. It adds extra computation, and alters the logformat and size. All for something that i think should be calculated further down the pipeline (as previously mentioned by gamelinux). Also, it seams to be outside the scope of what i feel this application is, a slim and to-the-point passive dns collector.

maxtors avatar Mar 16 '17 21:03 maxtors

I do agree that it is outside what I would like in the core functionality (as the data is kind of there all ready, you just need to calculate it), but adding this would just add a very very little overhead to computation if you don't specify -f with "L" and "l". Its just checking if a flag is set in a very efficient way a few places.

And this will not alter the output format, if you don't manually add "L" and/or "l".

The biggest plus here is that this allows for command line tools like jq to parse the json output etc, and filter on length of domains if you want to hunt for say dns tunneling etc. Also if you have little clue or just short of time, you can push the data into ELK or Splunk etc and use the length field right away, without writing a parser which adds the length before log insert.

Im open for feedback though :)

gamelinux avatar Mar 16 '17 22:03 gamelinux

hello, i very thank you for your great job. including my request in your project is, for me, fantastic. It work very fine as i expected.

best regards.

helmerfud avatar Mar 21 '17 09:03 helmerfud