Skip to content

Automatically exported from code.google.com/p/dns-mole

License

Notifications You must be signed in to change notification settings

redbad2/dns-mole

Repository files navigation

About
=====

dnsMole is designed to analyse dns traffic, and to potentionaly detect botnet C&C server and infected hosts.
It can be used as passive sniffer,  and it can analyse already  sniffed network traffic dumped in .pcap file 
format. Algorithms implemented in this tool are based on work from  academic circle. 
You can find out about method implemented in this tool in papers:

    1. Botnet detection by monitoring group activities in DNS traffic
    2. Extending black domain name list by using co-occurrence relation between DNS queres

Since all this methods heavily depend on threshold parameters, you can define your own parameters 
in dnsMole configuration file and  in that way increase ( or decrease :) ) chanches of positive detection.
dnsMole support storing  black/white list in memory and in that way help classifying hosts 

dnsmole.conf
============	

LogFile ../doc/dnsmole.db 

#detection based on group activity

aAnalyzeInterval 1200   -- interval for collecting dns packets for activity method
aDrop 5                 -- remove fqdn from structure  if it is queried less than n different hosts
aBlackSimilarity 0.8    -- report black if similarity is higher or equal
aWhiteSimilarity 0.1    -- report white if similarity is less or equal

#detection based on host co-occurrence

oAnalyzeInterval 600    -- interval for collecting dns packets for co-occurrence method
oBlackIpTreshold 0.5    -- report host is infected if ratio (queried_black/queried_all) is higher or equal
oWhite 0.1              -- report white if index is less or equal
oBlack 0.9              -- report black if index is higher or equal

# Subnet where program is going to be run

nSubnet 16              -- define subnet where program is running, used for storing hosts ip in hash table


dnsMole program parameters
==========================

  -b <file> and -w <file> - black/white list filename
  -c <file>  - configuration filename
  -i <interface> - set interface for sniffing
  -s - sniffer mode
  -d - run programm in backgroun
  -p <file> - use .pcap file for analysis
  -t <1|2> - analysis method
  
Installation
============

As usual: ./configure & make

How to use program
==================

dnsMole requires that you must run program as root in sniffer mode, but otherwise for pcap analysis
it isn't required.
  
1. pcap analysis

~ example.pcap for analysis with method 1 and put in background use bl.txt as blacklist

$  dnsmole -c doc/dnsmole.conf -p example.pcap -b bl.txt -t 1 -d

~ example.pcap for analysis with method 2, and use bl.txt as blacklist and wl.txt as whitelist

$ dnsmole -c doc/dnsmole.conf -p example.pcap -b bl.txt -w wl.txt -t 2

2. sniffer mode ( root privileges )

~ use wlan0 as interface with wl.txt as whitelist, use method 3, put in background

# dnsmole -i wlan0 -s -d -c doc/dnsmole.conf -w wl.txt -t 3

3. combined ( root privileges )

~ first use analysis on example.pcap and than run sniffer in background

# dnsmole -t 2 -p example.pcap -w wl.txt -b bl.txt -s -d -i wlan0

Dependencies
============

dnsMole is using:
	
	1. event library ( -levent )
	2. pcap libirary ( -lpcap )
	3. mathematic library ( -lm )	
	4. sqlite3 library ( -lsqlite3 )				

About

Automatically exported from code.google.com/p/dns-mole

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •