update passivedns

passivedns/README.md

@@ -1,2 +1,87 @@
 passivedns
 ==========
+
+[PassiveDNS][1] is a tool to collect DNS records passively to aid Incident handling, Network
+Security Monitoring (NSM) and general digital forensics.
+
+## docker-compose.yml
+
+```yaml
+version: "3.8"
+services:
+  passivedns:
+    image: vimagick/passivedns
+    command: >
+      -i eth0
+      -l /var/log/passivedns/passivedns.log
+      -L /var/log/passivedns/passivedns-nx.log
+      -p /var/run/passivedns.pid
+      -P 86400
+      -S 256
+      -X 46CDNOPRSTMnx
+    volumes:
+      - ./data:/var/log/passivedns
+    network_mode: host
+    privileged: true
+    restart: unless-stopped
+```
+
+## filebeat.yml
+
+```yaml
+filebeat.inputs:
+- type: filestream
+  id: passivedns
+  paths:
+    - /path/to/passivedns/data/passivedns.log
+    - /path/to/passivedns/data/passivedns-nx.log
+  ignore_inactive: since_first_start
+  fields:
+    project: dns
+  fields_under_root: true
+  processors:
+    - include_fields:
+        fields: ["message", "project"]
+```
+
+## logstash.conf
+
+```
+input {
+  beats {
+    port => 5044
+  }
+}
+
+filter {
+  if [project] == "dns" {
+    csv {
+      separator => "||"
+      columns => [ "timestamp", "client", "server", "class", "query", "type", "answer", "ttl", "count" ]
+      convert => {
+        "ttl" => "integer"
+        "count" => "integer"
+      }
+    }
+    date {
+      match => [ "timestamp", "UNIX" ]
+      remove_field => [ "timestamp" ]
+    }
+    mutate {
+      gsub => [ "query", "\.$", "", "answer", "\.$", "" ]
+      remove_field => [ "[host]", "[agent]", "[ecs][version]", "message" ]
+    }
+  } else {
+    drop {}
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["elasticsearch:9200"]
+    ilm_enabled => "false"
+  }
+}
+```
+
+[1]: https://github.com/gamelinux/passivedns