mirror of
https://github.com/vimagick/dockerfiles
synced 2024-06-16 11:58:47 +00:00
update passivedns
This commit is contained in:
parent
13dbbd951f
commit
458f65a3d9
@ -1,2 +1,87 @@
|
|||||||
passivedns
|
passivedns
|
||||||
==========
|
==========
|
||||||
|
|
||||||
|
[PassiveDNS][1] is a tool to collect DNS records passively to aid Incident handling, Network
|
||||||
|
Security Monitoring (NSM) and general digital forensics.
|
||||||
|
|
||||||
|
## docker-compose.yml
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
version: "3.8"
|
||||||
|
services:
|
||||||
|
passivedns:
|
||||||
|
image: vimagick/passivedns
|
||||||
|
command: >
|
||||||
|
-i eth0
|
||||||
|
-l /var/log/passivedns/passivedns.log
|
||||||
|
-L /var/log/passivedns/passivedns-nx.log
|
||||||
|
-p /var/run/passivedns.pid
|
||||||
|
-P 86400
|
||||||
|
-S 256
|
||||||
|
-X 46CDNOPRSTMnx
|
||||||
|
volumes:
|
||||||
|
- ./data:/var/log/passivedns
|
||||||
|
network_mode: host
|
||||||
|
privileged: true
|
||||||
|
restart: unless-stopped
|
||||||
|
```
|
||||||
|
|
||||||
|
## filebeat.yml
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
filebeat.inputs:
|
||||||
|
- type: filestream
|
||||||
|
id: passivedns
|
||||||
|
paths:
|
||||||
|
- /path/to/passivedns/data/passivedns.log
|
||||||
|
- /path/to/passivedns/data/passivedns-nx.log
|
||||||
|
ignore_inactive: since_first_start
|
||||||
|
fields:
|
||||||
|
project: dns
|
||||||
|
fields_under_root: true
|
||||||
|
processors:
|
||||||
|
- include_fields:
|
||||||
|
fields: ["message", "project"]
|
||||||
|
```
|
||||||
|
|
||||||
|
## logstash.conf
|
||||||
|
|
||||||
|
```
|
||||||
|
input {
|
||||||
|
beats {
|
||||||
|
port => 5044
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
filter {
|
||||||
|
if [project] == "dns" {
|
||||||
|
csv {
|
||||||
|
separator => "||"
|
||||||
|
columns => [ "timestamp", "client", "server", "class", "query", "type", "answer", "ttl", "count" ]
|
||||||
|
convert => {
|
||||||
|
"ttl" => "integer"
|
||||||
|
"count" => "integer"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
date {
|
||||||
|
match => [ "timestamp", "UNIX" ]
|
||||||
|
remove_field => [ "timestamp" ]
|
||||||
|
}
|
||||||
|
mutate {
|
||||||
|
gsub => [ "query", "\.$", "", "answer", "\.$", "" ]
|
||||||
|
remove_field => [ "[host]", "[agent]", "[ecs][version]", "message" ]
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
drop {}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
output {
|
||||||
|
elasticsearch {
|
||||||
|
hosts => ["elasticsearch:9200"]
|
||||||
|
ilm_enabled => "false"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
[1]: https://github.com/gamelinux/passivedns
|
||||||
|
Loading…
Reference in New Issue
Block a user