Skip to content
Permalink
Browse files

ioc2rpz is a place where threat intelligence meets DNS

  • Loading branch information...
Homas committed Jul 6, 2019
1 parent cefe6ba commit 9f6d5e323dd203dd9f4856df36da9fa7d369c57d
Showing with 16 additions and 6 deletions.
  1. +3 −0 ChangeLog.md
  2. +2 −2 Dockerfile
  3. +1 −1 LICENSE
  4. +1 −0 TODO.md
  5. +1 −1 include/ioc2rpz.hrl
  6. +5 −0 src/ioc2rpz.erl
  7. +1 −1 src/ioc2rpz_conn.erl
  8. +2 −1 src/ioc2rpz_fun.erl
@@ -1,6 +1,9 @@
# ioc2rpz change log
[CB] - Changed Behaviour

## 2019-07-05 v0.9.4.1
- CVE-2004-0789

## 2019-06-13 v0.9.4.0
- Fixed bugs:
- #10
@@ -1,4 +1,4 @@
#Copyright 2017-2018 Vadim Pavlov ioc2rpz[at]gmail[.]com
#Copyright 2017-2019 Vadim Pavlov ioc2rpz[at]gmail[.]com
#
#Licensed under the Apache License, Version 2.0 (the "License");
#you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@ WORKDIR /opt/ioc2rpz
#ENTRYPOINT ["erl", "-noshell", "-pa", "./ebin", "-sname", "ioc2rpz", "-eval", "application:start(ioc2rpz,permanent)", "-config", "ioc2rpz_app"]
#CMD ["/bin/sh", "/opt/ioc2rpz/scripts/run_ioc2rpz.sh"]

RUN mkdir /opt/ioc2rpz/cfg /opt/ioc2rpz/db /opt/ioc2rpz/include /opt/ioc2rpz/src /opt/ioc2rpz/log && apk add bind-tools curl python3 gawk
RUN mkdir -p /opt/ioc2rpz/cfg /opt/ioc2rpz/ssl /opt/ioc2rpz/db /opt/ioc2rpz/include /opt/ioc2rpz/src /opt/ioc2rpz/log && apk add bind-tools curl python3 gawk
ADD src/* /opt/ioc2rpz/src/
ADD include/* /opt/ioc2rpz/include/
ADD config/* /opt/ioc2rpz/config/
@@ -187,7 +187,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.

Copyright [yyyy] [name of copyright owner]
Copyright 2019 Vadim Pavlov

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -1,5 +1,6 @@
#TODO for Black Hat & DefCon
- [ ] Document "include" and key groups
- [ ] Add "reload_cert" API call (restart/reload cowboy)
- [ ] Add links to the wiki's How-To install
- [ ] Start EUnit Tests
- [ ] Release 1.0
@@ -43,7 +43,7 @@
%%%%%%
%%%%%% Do not modify any settings below the line
%%%%%%
-define(ioc2rpz_ver, "0.9.4.1-2019061901").
-define(ioc2rpz_ver, "0.9.4.1-2019070501").

-define(ZNameZip,16#c00c:16). %Zone name/original fqdn from a request is always at byte 10 in the response
-define(ZNameZipN,16#c00c). % Offset in bytes - Zone name/original fqdn from a request is always at byte 10 in the response
@@ -144,6 +144,11 @@ send_dns_udp(Socket, Dst, Port, Pkt, _Args) ->
parse_dns_request(Socket, Data, Proto) when byte_size(Data) =< 12 ->
%%% Bad DNS packet
ioc2rpz_fun:logMessageCEF(ioc2rpz_fun:msg_CEF(101),[ip_to_str(Proto#proto.rip),Proto#proto.rport,Proto#proto.proto]);

parse_dns_request(Socket, Data, Proto) when Proto#proto.rport == 53; Proto#proto.tls == yes,Proto#proto.rport == 853 ->
%%% DDoS attemt
ioc2rpz_fun:logMessageCEF(ioc2rpz_fun:msg_CEF(501),[ip_to_str(Proto#proto.rip),Proto#proto.rport,Proto#proto.proto]);


parse_dns_request(Socket, <<DNSId:2/binary, _:1, OptB:7, _:1, OptE:3, _:4, QDCOUNT:2/big-unsigned-unit:8,ANCOUNT:2/big-unsigned-unit:8,NSCOUNT:2/binary,ARCOUNT:2/binary, Rest/binary>> = _Data, Proto) when QDCOUNT /= 1 -> %_:2/binary, ;ANCOUNT /= 0
%%% Bad DNS request. QDCount != 1
@@ -1,4 +1,4 @@
%Copyright 2017-2018 Vadim Pavlov ioc2rpz[at]gmail[.]com
%Copyright 2017-2019 Vadim Pavlov ioc2rpz[at]gmail[.]com
%
%Licensed under the Apache License, Version 2.0 (the "License");
%you may not use this file except in compliance with the License.
@@ -46,7 +46,6 @@ msg_CEF(106) -> "|000106|TSIG Bad time|5|src=~s spt=~p proto=~p qname=~p qtyp
msg_CEF(107) -> "|000107|Other TSIG error|5|src=~s spt=~p proto=~p qname=~p qtype=~p qclass=~p tsigkey=~p msg=~p msg2=~p~n";
msg_CEF(108) -> "|000108|Wrong TSIG position|5|src=~s spt=~p proto=~p qname=~p qtype=~p qclass=~p tsigkey=~p msg=~p~n";


msg_CEF(120) -> "|000120|RPZ not found|5|src=~s spt=~p proto=~p qname=~p qtype=~p qclass=~p tsigkey=~p msg=~p~n";
msg_CEF(121) -> "|000121|RPZ not ready|3|src=~s spt=~p proto=~p qname=~p qtype=~p qclass=~p tsigkey=~p msg=~p~n";

@@ -67,6 +66,8 @@ msg_CEF(222) -> "|000222|DNS Notify error|5|dst=~s dpt=~s proto=~s zone=~p ms

msg_CEF(301) -> "|000301|MGMT request denied|7|src=~s spt=~p proto=~p qname=~p qtype=~p qclass=~p tsigkey=~p msg=~p~n";

msg_CEF(501) -> "|000501|Possible DDoS CVE-2004-0789|3|src=~s spt=~p proto=~p~n";

msg_CEF(999) -> "Not defined~n".

strs_to_binary(Strs) ->

0 comments on commit 9f6d5e3

Please sign in to comment.
You can’t perform that action at this time.