Compare multiple log formats against malware reputation lists.
Shell Makefile
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
tools Fix "-S" option Mar 10, 2016
Makefile Makefile: if symlink exists overwrite Oct 28, 2014
mandiant_apt1.dns re-added mandiant APT DNS list Mar 14, 2013


Mal-dnssearch is a robust shell script that compares IP and DNS
addresses in logs against malware (and related) reputation data.
It reports any matches and supports many log formats.

Requires Bash version 4.2+. Tested with Bash on OpenBSD, FreeBSD, OSX, and Ubuntu.

mal-dnssearch Screenshot


Edit the Makefile or use the defaults to install the script.
The default is to install to /usr/local/mal-dnssearch. A symlink is then created in /usr/bin so that mal-dnssearch will most likely be in your PATH.

To install use:

sudo make install

To uninstall use:

sudo make uninstall

Supported Logs (parses DNS names only):

Specify log type with -T <type>. This is used to parse the file correctly.
-f is then required to specify the log file to read.

Type: Description:
apache Apache Access Log
apachev Apache Other Vhosts Access Log
argus ARGUS file (requires user data i.e. setting ARGUS_CAPTURE_DATA_LEN)
bind ISC's BIND query log file
bro BRO-IDS dns.log file
custom ip - Custom file - IP addresses, one per line.
custom dns - Custom file - DNS (with one DNS name per line w/o trailing FQDN dot)
hosts /etc/hosts file
httpry HttPry log file
passivedns PassiveDNS log file
tcpdump Tcpdump pcap file
tshark Tshark pcap file
sonicwall SonicWall NSA log file (via syslog)

Is your log not supported? E-mail me a sample, I'll add it.

Supported Malware Host Lists:

Default is (DNS list) when -M is not specified.

List: Description:
custom Custom, one IP entry per line
snort (IP)
et_ips (IP)
alienvault (BIG file) (IP)
botcc (IP)
tor (IP)
rbn (IP)
malhosts (DNS)
malips (IP)
ciarmy (IP)
mayhemic (DNS)
mandiant (DNS)

Todo (not ranked):


Non-mandatory options:

-w accept file with one entry per line or grep regex e.g. -w "dont|match|these", -w whitelist.txt
-l Log stdout & stderr to file e.g. -l /var/log/output.log
-F block matched hosts w/ firewall, 3 available: iptables, pf, ipfw e.g. -F pf
-N skip file download
-p Pass downloaded file to stdout to pipe to other programs e.g.
-M mayhemic -p | mal-dns2bro -T dns >
-v Print line from mal-host list as its processed for debugging
-V Print each line from the log file as its processed for debugging

Usage: ./mal-dnssearch -T <type> -f <logfile> [-M <list>] [-w whitelist] [-l out.log] [-F firewall] [-N] [-vV]


./ -M mandiant (Downloads file only)
./ -T tshark -f dns.pcap
./ -T passivedns -f /var/log/passivedns/dmz.log -w whitelist.txt
./ -T bro -f /usr/local/bro/logs/current/dns.log \
	-w "||google|facebook" -l dns.results.log
./ -T bro -f /usr/local/bro/logs/current/dns.log -F iptables -l dns.results.log
./ -T argus -f dns.argus -M malhosts -F iptables -l dns.results.log
./ -T custom-ip -f iplist.log -M snort -l ip.results.log -N -v
./ -T custom-ip -f iplist.log -M mandiant -l ip.results.log
./ -T apache -f /var/log/apache2/access.log


Jon Schipp (keisterstash)
More info
jonschipp [ at ] Gmail dot com,