mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
2.6 KiB
2.6 KiB
DNS Exfiltration Detection Reference
Zeek dns.log Field Reference (TSV Format)
| Field | Type | Description |
|---|---|---|
ts |
time | Timestamp of the DNS request |
uid |
string | Unique connection identifier |
id.orig_h |
addr | Source IP address |
id.orig_p |
port | Source port |
id.resp_h |
addr | Destination IP (DNS server) |
id.resp_p |
port | Destination port (usually 53) |
proto |
enum | Transport protocol (udp/tcp) |
trans_id |
count | DNS transaction ID |
rtt |
interval | Round trip time |
query |
string | The domain name queried |
qclass |
count | Query class value |
qclass_name |
string | Query class name (C_INTERNET) |
qtype |
count | Query type value |
qtype_name |
string | Query type name (A, AAAA, TXT, MX, CNAME, NULL) |
rcode |
count | Response code value |
rcode_name |
string | Response code name (NOERROR, NXDOMAIN, SERVFAIL) |
AA |
bool | Authoritative Answer flag |
TC |
bool | Truncation flag |
RD |
bool | Recursion Desired flag |
RA |
bool | Recursion Available flag |
Z |
count | Reserved field |
answers |
vector | Resource record answers |
TTLs |
vector | TTL values for answer RRs |
rejected |
bool | Whether query was rejected |
zeek-cut Usage
# Extract specific fields from dns.log
cat dns.log | zeek-cut ts id.orig_h query qtype_name answers
# Filter TXT queries (common in DNS tunneling)
cat dns.log | zeek-cut query qtype_name | grep TXT
# Count queries per domain
cat dns.log | zeek-cut query | rev | cut -d. -f1-2 | rev | sort | uniq -c | sort -rn
RITA Beacon Detection
# Import Zeek logs into RITA
rita import /opt/zeek/logs/current rita-dataset
# Analyze for beaconing
rita show-beacons rita-dataset
# Show DNS tunneling indicators
rita show-dns rita-dataset
# HTML report
rita html-report rita-dataset /var/www/html/rita-report
Suricata DNS Exfiltration Rules
# Detect long DNS queries (potential tunneling)
alert dns any any -> any any (msg:"Possible DNS tunneling - long query"; \
dns.query; content:"|00|"; byte_test:1,>,50,0,relative; \
sid:1000001; rev:1;)
# Detect TXT record queries to unusual domains
alert dns any any -> any any (msg:"Suspicious DNS TXT query"; \
dns_query; pcre:"/^[a-z0-9]{30,}\./i"; sid:1000002; rev:1;)
Splunk SPL for DNS Exfiltration
index=zeek sourcetype=zeek_dns
| eval subdomain_len=len(mvindex(split(query, "."), 0))
| where subdomain_len > 50
| stats count dc(query) as unique_queries by "id.orig_h" query
| where unique_queries > 100
| sort -unique_queries