This repository has been archived by the owner on Feb 20, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dns_logs.php
executable file
·119 lines (107 loc) · 4.23 KB
/
dns_logs.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
<?php
include_once('functions.php');
include_once('config.php');
function LoadBroDNSLogs($fileName) {
/**
* This file contains all of the functionality to import bro DNS logs into the database
* All CONSTANTS are defined within config.php
*/
$insertStatement = ""; //Holds the overall SQL insert statement
$currentRecordVals = ""; //Holds the values for this particular record before adding to $insertStatement
//$fileName = "../test2/dns.log"; //use only for testing
print("Importing dns log file $fileName \n");
$file = fopen($fileName, "r");
$i = 1;
$insertStatement = DNS_LOG_INSERT;
$completeStatement = True;
while(! feof($file)){
$tmpRecord = fgetcsv($file, 0, "\t");
/**Check to ensure that the first charachter
isn't '#' and if it is, skip the line */
if ($tmpRecord[0][0] == '#') continue; //Line is a header
if ($tmpRecord[0][0] == false) continue; //Line is blank
$ts = $tmpRecord[DNS_TS];
$uid = $tmpRecord[DNS_UID];
$transID = ReturnString($tmpRecord[DNS_TRANSID]);
$query = ReturnString($tmpRecord[DNS_QUERY]);
$className = ReturnString($tmpRecord[DNS_CLASSNAME]);
$typeName = ReturnString($tmpRecord[DNS_TYPENAME]);
$responseName = ReturnString($tmpRecord[DNS_RESPONSECODENAME]);
$answers = ReturnString($tmpRecord[DNS_ANSWERS]);
$ttl = ReturnNum($tmpRecord[DNS_TTL]);
//Break domain down into subelements
$domain = str_getcsv($query, ".");
//Get the last two elements of the array and assign it to Top Level Domain
if (count($domain) >= 2) {
$tld = $domain[count($domain)-2] . "." . $domain[count($domain)-1];
} else {
$tld = $query;
}
//If there are subdomain elements, assign them to subdomain
if (count($domain) > 2) {
$subdomain = $domain[0];
for ($a = 1; $a <= count($domain) - 3; $a++) {
$subdomain = $subdomain . "." . $domain[$a];
}
} else {
$subdomain = "";
}
//Build $currentRecordVals
$currentRecordVals = "('$uid', '$transID', '$subdomain', '$tld', '$className', '$typeName', '$responseName', '$answers', $ttl)";
if ($i == 1) { //First record, no need to add the comma
$insertStatement = $insertStatement . $currentRecordVals;
$i++;
$completeStatement = False;
} elseif ($i == 10) { //Final record in the current set, close out the sql statement and insert
$insertStatement = $insertStatement . ", " . $currentRecordVals . ";";
//INSERT THE RECORD INTO THE DATABASE
if (! db_query($insertStatement)){
echo "ERROR...... $insertStatement \n";
}
$i = 1; //Reset the counter
$completeStatement = True;
$insertStatement = DNS_LOG_INSERT;
} else { //add a comma and the the next set of values
$insertStatement = $insertStatement . ", " . $currentRecordVals;
$i++;
$completeStatement = False;
}
//PASSIVE DNS STUFF
//Check to see if this is an A or AAAA record
if ((($typeName == "A") || ($typeName == "AAAA")) && $responseName == "NOERROR") {
$domainAnswers = str_getcsv($answers);
foreach ($domainAnswers as $value){
//Ensure that the current $value is actually an IP address
if (is_ip($value)) {
//$sql = "SELECT * from passive_dns;";
$sql = "SELECT * from passive_dns WHERE PASSIVE_QUERY = '$query' and PASSIVE_ANSWER = INET6_ATON('$value');";
//Make sure that the query/answer combo doesn't already exist
$numRows = num_rows($sql);
if ($numRows > 0) {
$sql = "UPDATE passive_dns SET passive_lastfound = FROM_UNIXTIME($ts),
passive_count = passive_count + 1 WHERE PASSIVE_QUERY =
'$query' and PASSIVE_ANSWER = INET6_ATON('$value');";
//Update the current count and last found values
db_query($sql);
} else {
$sql = "INSERT INTO passive_dns (PASSIVE_QUERY, PASSIVE_ANSWER, PASSIVE_FIRSTFOUND,
PASSIVE_LASTFOUND, PASSIVE_COUNT) VALUES ('$query', INET6_ATON('$value'), FROM_UNIXTIME($ts),
FROM_UNIXTIME($ts), 1)";
//Insert the values into the table
db_query($sql);
}
}
}
}
}
//If we reach end of file without properly finishing and inserting the sql statement, do it now
if (! $completeStatement){
$insertStatement = $insertStatement . ";";
//ADD CODE TO INSERT RECORDS INTO DATABASE
if (! db_query($insertStatement)){
echo "ERROR...... $insertStatement \n";
}
$completeStatement = True;
}
}
?>