{"id":13440393,"url":"https://github.com/gamelinux/passivedns","last_synced_at":"2025-03-20T09:33:01.843Z","repository":{"id":1023498,"uuid":"1679745","full_name":"gamelinux/passivedns","owner":"gamelinux","description":"A network sniffer that logs all DNS server replies for use in a passive DNS setup","archived":false,"fork":false,"pushed_at":"2024-05-28T06:32:17.000Z","size":535,"stargazers_count":1674,"open_issues_count":34,"forks_count":372,"subscribers_count":166,"default_branch":"master","last_synced_at":"2024-10-28T02:20:36.369Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://gamelinux.org/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gamelinux.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2011-04-29T07:20:58.000Z","updated_at":"2024-10-25T16:26:21.000Z","dependencies_parsed_at":"2024-10-27T23:46:33.478Z","dependency_job_id":null,"html_url":"https://github.com/gamelinux/passivedns","commit_stats":{"total_commits":244,"total_committers":27,"mean_commits":9.037037037037036,"dds":"0.49590163934426235","last_synced_commit":"c411c46a66f9ff31e93416984162bc5ff2da5406"},"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gamelinux%2Fpassivedns","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gamelinux%2Fpassivedns/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gamelinux%2Fpassivedns/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gamelinux%2Fpassivedns/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gamelinux","download_url":"https://codeload.github.com/gamelinux/passivedns/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244586018,"owners_count":20476860,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T03:01:22.377Z","updated_at":"2025-03-20T09:33:01.565Z","avatar_url":"https://github.com/gamelinux.png","language":"C","funding_links":[],"categories":["C","Network","\u003ca id=\"79499aeece9a2a9f64af6f61ee18cbea\"\u003e\u003c/a\u003e浏览嗅探\u0026\u0026流量拦截\u0026\u0026流量分析\u0026\u0026中间人","Network Tools","C (286)","\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具","Tools"],"sub_categories":["Monitoring / Logging","\u003ca id=\"c09843b4d4190dea0bf9773f8114300a\"\u003e\u003c/a\u003e流量嗅探\u0026\u0026监控","Network Reconnaissance Tools","\u003ca id=\"32739127f0c38d61b14448c66a797098\"\u003e\u003c/a\u003e嗅探\u0026\u0026Sniff","Network Tools"],"readme":"#\n#  ______                                           ____   __  __  _____\n# |  __  |                         @               |    \\ |  \\ | ||  ___| (TM)\n# | _____|.------. .-----. .-----. _ -. .-.------. | |\\  ||   \\| ||___  |\n# |  |    |  __  ||__  --'|__  --'| |\\ Y /| _--__|_| |/  ||      || \\_| |\n# |__|    |____|_||______||______||_| \\_/ |_______/|____/ |__|\\__||_____|\n#\n#\n\nA tool to collect DNS records passively to aid Incident handling, Network\nSecurity Monitoring (NSM) and general digital forensics.\n\nPassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs\nthe DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate\nDNS answers in-memory, limiting the amount of data in the logfile without\nlosing the essense in the DNS answer.\n\nExample output from version 1.0.0-\u003eCurrent in the log file (/var/log/passivedns.log):\n\n#timestamp||dns-client ||dns-server||RR class||Query||Query Type||Answer||TTL||Count\n1322849924.408856||10.1.1.1||8.8.8.8||IN||upload.youtube.com.||A||74.125.43.117||46587||5\n1322849924.408857||10.1.1.1||8.8.8.8||IN||upload.youtube.com.||A||74.125.43.116||420509||5\n1322849924.408858||10.1.1.1||8.8.8.8||IN||www.adobe.com.||CNAME||www.wip4.adobe.com.||43200||8\n1322849924.408859||10.1.1.1||8.8.8.8||IN||www.adobe.com.||A||193.104.215.61||43200||8\n1322849924.408860||10.1.1.1||8.8.8.8||IN||i1.ytimg.com.||CNAME||ytimg.l.google.com.||43200||3\n1322849924.408861||10.1.1.1||8.8.8.8||IN||clients1.google.com.||A||173.194.32.3||43200||2\n\nPassiveDNS works on IPv4 and IPv6 traffic and parse DNS traffic over TCP and UDP.\n\n** How can PassiveDNS be used: **\n\nTypical usages:\n\n1) Search for domain or IP history when working on an incident.\n   Example:\n   Company has malware talking to bad.twittertoday.com.\n   At current time, the domain is resolving to say 202.29.94.200\n   You search your Flowdata and find the clients talking to that IP and\n   remidate. You look at the Flowdata, and you discover that the date\n   and time the clients first talked to that IP, and concludes that as\n   the time of infection...\n\n   But using PassiveDNS data, quering the domain, you get following history:\n\n FirstSeen  | LastSeen   | TYPE | TTL |        Query         |   Answer\n----------------------------------------------------------------------------\n 2011-12-01 | 2011-12-11 |    A |  60 | bad.twittertoday.com |  71.51.115.11\n 2011-12-11 | 2011-12-18 |    A |  60 | bad.twittertoday.com |     127.0.0.1\n 2011-12-18 | 2012-01-14 |    A |  60 | bad.twittertoday.com | 202.29.94.200\n\n   Going back and searching for 71.51.115.11 in your Flowdata, you find\n   traffic back to the FirstSeen data, and you also see more clients\n   initially infected (so you did not manage to remidate/check out all your\n   clients in the first run by just looking at IP 202.29.94.200). Doing\n   forensics on the the clients you missed in the first run, reveals that\n   they have downloaded a different malware and deleted the initial one,\n   that beeing the reason you did not see flows from them to 202.29.94.200.\n   The new malware gives you new domains and IPs to go look for...\n\n2) Say you have an indication of malicious C\u0026C traffic going to an IP on\n   port 80. The domain used by the alleged malware is supposed to be\n   cc.twittertoday.com. Searching you Flowdata, reveals lots of clients\n   talking to that IP, and you might think that the whole company is p0wned.\n   A quick search in your PassiveDNS DB shows you that the IP in question is\n   also hosting 300 + websites and you might even spot a website hosted on\n   that IP that you are familiar with and that you know lots of people in the\n   company would legit visit daily.\n   Searching your PassiveDNS DB gives you no hits for the domain in question,\n   hopefully meaning that you dont have that malware talking to that domain\n   in your network.\n\n3) You know that *.twittertoday.com are often used in malware and the\n   subdomains change randomly. Many have rules for such domains in their\n   IDS/IPS, sucking up unnecessary juice from the systems. Having a script\n   pre-loaded with a list of regexp of domains and subdomains to watch for\n   and giving you an alert when they hit will give you much better detection\n   on threat based on domains.\n\n   You can also do a whois for all new top domains seen, correlate the whois\n   info with a list of know bad info, such as the name of the person or\n   company that has registered the domain, telephone/fax numbers, address\n   and so on, ending up with a score that might be high enough for triggering\n   an alert to you :)\n\n\nQuestions, suggestions, sugar or flame is always welcome :)\n\nI hope PassiveDNS gives you a new tool to fight malware and its herders...\n\n(c)2011-2020  -  Edward Bjarte Fjellskål\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgamelinux%2Fpassivedns","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgamelinux%2Fpassivedns","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgamelinux%2Fpassivedns/lists"}