https://github.com/5fingers/dnstrafficanalyzer
A tool that captures and analyzes DNS traffic to identify suspicious domain lookups, potential DNS tunneling, or communication with malicious domains.
https://github.com/5fingers/dnstrafficanalyzer
analysis cybersecurity dns dns-analysis dnssec python3 threat-hunting threat-intelligence
Last synced: 3 months ago
JSON representation
A tool that captures and analyzes DNS traffic to identify suspicious domain lookups, potential DNS tunneling, or communication with malicious domains.
- Host: GitHub
- URL: https://github.com/5fingers/dnstrafficanalyzer
- Owner: 5Fingers
- License: mit
- Created: 2023-05-20T13:29:39.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2023-05-22T05:36:49.000Z (about 2 years ago)
- Last Synced: 2024-12-30T08:26:11.846Z (5 months ago)
- Topics: analysis, cybersecurity, dns, dns-analysis, dnssec, python3, threat-hunting, threat-intelligence
- Language: Python
- Homepage:
- Size: 25.4 KB
- Stars: 3
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
 
# DNSTrafficAnalyzer
The DNSTrafficAnalyzer Tool is a Python script designed for capturing and analyzing DNS traffic.
Its purpose is to identify suspicious domain lookups, potential DNS tunneling, and communication with malicious domains - which makes it an essential tool for threat hunting and threat intelligence
## Features
- Captures and analyzes DNS traffic from a PCAP file.
- Detects suspicious domain lookups by analyzing the queried domain names.
- Identifies potential DNS tunneling by examining the DNS query types.
- Alerts on communication with known malicious domains based on DNS responses.
- Detects DNSSEC validation failures.
- Identifies DNS amplification attacks.
- Detects fast flux domains.
- Identifies DNS rebinding.
- Logs detected suspicious activities using a configurable logging system.
## Usage
1. Install the required dependencies by running `pip install -r requirements.txt`.
2. Prepare a PCAP file containing DNS traffic that you want to analyze.
3. Run the script by executing the following command:
```
python dns_traffic_analysis.py
```
Replace `` with the path to your PCAP file.
4. The script will process the DNS traffic in the PCAP file and perform analysis.
5. Suspicious domain lookups, potential DNS tunneling, or communication with malicious domains will be reported through the configured logging system.
6. Review the logs generated by the script to identify any identified suspicious activities.
## Customization
The DNS Traffic Analysis Tool provides basic implementations for suspicious domain lookups, DNS tunneling detection, and malicious communication detection. You can customize these functionalities to match your specific requirements.
- To customize suspicious domain lookups, modify the `is_suspicious_domain` method in the `DNSTrafficAnalyzer` class.
- To customize DNS tunneling detection, modify the `is_dns_tunneling` method in the `DNSTrafficAnalyzer` class.
- To customize malicious communication detection, modify the `is_malicious_communication` method in the `DNSTrafficAnalyzer` class.
## Dependencies
- Python 3.6 or higher
- dpkt library
## License
This project is licensed under the [MIT License](LICENSE).
## Disclaimer
The DNSTrafficAnalyzer Tool is provided as-is without any warranty. Use it at your own risk and responsibility. Always ensure compliance with applicable laws and obtain proper authorization before analyzing network traffic that is not your own.
## References
- [dpkt library](https://dpkt.readthedocs.io/) - Python library for parsing network protocols, used for reading PCAP files and analyzing DNS traffic.