Files
Anthropic-Cybersecurity-Skills/skills/detecting-exfiltration-over-dns-with-zeek/references/api-reference.md
T

2.6 KiB

DNS Exfiltration Detection Reference

Zeek dns.log Field Reference (TSV Format)

Field Type Description
ts time Timestamp of the DNS request
uid string Unique connection identifier
id.orig_h addr Source IP address
id.orig_p port Source port
id.resp_h addr Destination IP (DNS server)
id.resp_p port Destination port (usually 53)
proto enum Transport protocol (udp/tcp)
trans_id count DNS transaction ID
rtt interval Round trip time
query string The domain name queried
qclass count Query class value
qclass_name string Query class name (C_INTERNET)
qtype count Query type value
qtype_name string Query type name (A, AAAA, TXT, MX, CNAME, NULL)
rcode count Response code value
rcode_name string Response code name (NOERROR, NXDOMAIN, SERVFAIL)
AA bool Authoritative Answer flag
TC bool Truncation flag
RD bool Recursion Desired flag
RA bool Recursion Available flag
Z count Reserved field
answers vector Resource record answers
TTLs vector TTL values for answer RRs
rejected bool Whether query was rejected

zeek-cut Usage

# Extract specific fields from dns.log
cat dns.log | zeek-cut ts id.orig_h query qtype_name answers

# Filter TXT queries (common in DNS tunneling)
cat dns.log | zeek-cut query qtype_name | grep TXT

# Count queries per domain
cat dns.log | zeek-cut query | rev | cut -d. -f1-2 | rev | sort | uniq -c | sort -rn

RITA Beacon Detection

# Import Zeek logs into RITA
rita import /opt/zeek/logs/current rita-dataset

# Analyze for beaconing
rita show-beacons rita-dataset

# Show DNS tunneling indicators
rita show-dns rita-dataset

# HTML report
rita html-report rita-dataset /var/www/html/rita-report

Suricata DNS Exfiltration Rules

# Detect long DNS queries (potential tunneling)
alert dns any any -> any any (msg:"Possible DNS tunneling - long query"; \
  dns.query; content:"|00|"; byte_test:1,>,50,0,relative; \
  sid:1000001; rev:1;)

# Detect TXT record queries to unusual domains
alert dns any any -> any any (msg:"Suspicious DNS TXT query"; \
  dns_query; pcre:"/^[a-z0-9]{30,}\./i"; sid:1000002; rev:1;)

Splunk SPL for DNS Exfiltration

index=zeek sourcetype=zeek_dns
| eval subdomain_len=len(mvindex(split(query, "."), 0))
| where subdomain_len > 50
| stats count dc(query) as unique_queries by "id.orig_h" query
| where unique_queries > 100
| sort -unique_queries