Skip to content
Permalink
Browse files

ioc2rpz is a place where threat intelligence meets DNS

  • Loading branch information...
Homas committed Feb 12, 2019
1 parent f8b1b40 commit 04190f4b79555d60641ccc6061ba612f33b026e8
Showing with 21 additions and 0 deletions.
  1. +3 −0 ChangeLog.md
  2. +3 −0 TODO.md
  3. BIN docs/CommonEventFormatV25.pdf
  4. +3 −0 src/ioc2rpz.erl
  5. +12 −0 src/ioc2rpz_fun.erl
@@ -1,6 +1,9 @@
# ioc2rpz change log
[CB] - Changed Behaviour

## 2019-02-11
- Log messages were formated in CEF

## 2018-09-22
- IPv6 support
- Configuration file name and IPs are moved to an app config file
@@ -3,6 +3,9 @@
## Core
- [ ] DoH https://tools.ietf.org/html/rfc8484
- [ ] DoT https://tools.ietf.org/html/rfc7858
- [ ] Redo AXFR logs
- [ ] All log messages in CEF
- [ ] Update keys from cfg

## Sources
- [ ] Source: ioc type, max # of IOCs, max file size, RPZ action, NS type, lowcase optimization option, spawn processes
Binary file not shown.
@@ -100,6 +100,9 @@ send_dns_tcp(Socket, Pkt, []) ->
send_dns_udp(Socket, Dst, Port, Pkt, _Args) ->
ok = gen_udp:send(Socket, Dst, Port, Pkt).

parse_dns_request(Socket, <<>> = _Data, Proto) -> % "Device Event Class ID|Name|Severity|[Extension]" must be passed
ioc2rpz_fun:logMessage("|101|Empty request|3|src=~p proto=~p~n",[ip_to_str(Proto#proto.rip),Proto#proto.proto]);

parse_dns_request(Socket, <<DNSId:2/binary, _:1, OptB:7, _:1, OptE:3, _:4, QDCOUNT:2/big-unsigned-unit:8,ANCOUNT:2/big-unsigned-unit:8,NSCOUNT:2/binary,ARCOUNT:2/binary, Rest/binary>> = _Data, Proto) when QDCOUNT /= 1 -> %_:2/binary, ;ANCOUNT /= 0
[QName,<<QType:2/big-unsigned-unit:8,QClass:2/big-unsigned-unit:8, _Other_REC/binary>>] = binary:split(Rest,<<0>>),
LT=calendar:local_time(),
@@ -26,6 +26,18 @@ logMessage(Dest, Message, Vars) ->
{{Y,M,D},{HH,MM,SS}}=calendar:local_time(),
io:fwrite(Dest,"~4..0w-~2..0w-~2..0w ~2..0w:~2..0w:~2..0w "++Message,[Y,M,D,HH,MM,SS|Vars]).

%CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

logMessageCEF(Message, Vars) -> % "Device Event Class ID|Name|Severity|[Extension]" must be passed
logMessage(group_leader(), Message, Vars).

logMessageCEF(Dest, Message, Vars) ->
{{Y,M,D},{HH,MM,SS}}=calendar:local_time(),
io:fwrite(Dest,"~4..0w-~2..0w-~2..0w ~2..0w:~2..0w:~2..0w CEF:0|ioc2rpz|ioc2rpz_serv|~p"++Message,[Y,M,D,HH,MM,SS,ioc2rpz_ver|Vars]).

% Severity is a string or integer and reflects the importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.
% 101 - Empty Request - 3


strs_to_binary(Strs) ->
strs_to_binary(Strs,[]).

0 comments on commit 04190f4

Please sign in to comment.
You can’t perform that action at this time.