From 458f65a3d9f5b8b89f8288e913625894409c7ff0 Mon Sep 17 00:00:00 2001 From: kevin Date: Wed, 20 Sep 2023 21:19:55 +0800 Subject: [PATCH] update passivedns --- passivedns/README.md | 85 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/passivedns/README.md b/passivedns/README.md index a64283e..3a5de45 100644 --- a/passivedns/README.md +++ b/passivedns/README.md @@ -1,2 +1,87 @@ passivedns ========== + +[PassiveDNS][1] is a tool to collect DNS records passively to aid Incident handling, Network +Security Monitoring (NSM) and general digital forensics. + +## docker-compose.yml + +```yaml +version: "3.8" +services: + passivedns: + image: vimagick/passivedns + command: > + -i eth0 + -l /var/log/passivedns/passivedns.log + -L /var/log/passivedns/passivedns-nx.log + -p /var/run/passivedns.pid + -P 86400 + -S 256 + -X 46CDNOPRSTMnx + volumes: + - ./data:/var/log/passivedns + network_mode: host + privileged: true + restart: unless-stopped +``` + +## filebeat.yml + +```yaml +filebeat.inputs: +- type: filestream + id: passivedns + paths: + - /path/to/passivedns/data/passivedns.log + - /path/to/passivedns/data/passivedns-nx.log + ignore_inactive: since_first_start + fields: + project: dns + fields_under_root: true + processors: + - include_fields: + fields: ["message", "project"] +``` + +## logstash.conf + +``` +input { + beats { + port => 5044 + } +} + +filter { + if [project] == "dns" { + csv { + separator => "||" + columns => [ "timestamp", "client", "server", "class", "query", "type", "answer", "ttl", "count" ] + convert => { + "ttl" => "integer" + "count" => "integer" + } + } + date { + match => [ "timestamp", "UNIX" ] + remove_field => [ "timestamp" ] + } + mutate { + gsub => [ "query", "\.$", "", "answer", "\.$", "" ] + remove_field => [ "[host]", "[agent]", "[ecs][version]", "message" ] + } + } else { + drop {} + } +} + +output { + elasticsearch { + hosts => ["elasticsearch:9200"] + ilm_enabled => "false" + } +} +``` + +[1]: https://github.com/gamelinux/passivedns