-
Notifications
You must be signed in to change notification settings - Fork 0
/
install.txt
71 lines (55 loc) · 2.47 KB
/
install.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
- Log in to the system that contains the Zeek logs containing addresses
that need to be looked up. You need to log in to that system as a user
that can write to the zeek log directory tree (commonly /opt/zeek/logs/
or /opt/zeek/remotelogs/sensorname/yyyy-mm-dd/).
- Find the IP address of the DNS server that has both the PTR, ipv4 A
(and optionally ipv6 AAAA) records for those IP addresses.
- Run:
mkdir -p ~/bin/
- Copy these files to ~/bin/ :
active_dns_lookup.py
db_lib.py
zcutter.py
justone.py
run_active_dns.sh
- Run:
chmod 755 ~/bin/*.py ~/bin/run_active_dns.sh
sudo -H pip install dnspython
- Edit ~/bin/run_active_dns.sh with your preferred editor ("nano" is
relatively easy if you don't have one.) Modify the "export
dns_server..." line (instructions are just above the line). Also, edit
the "egrep" command line to select the addresses to look up;
instructions to do that are also just below the "export dns_server..."
line.
- Run:
~/bin/run_active_dns.sh /full/path/to/dir/with/zeek/logs/
, such as:
~/bin/run_active_dns.sh /opt/zeek/sensor1__1234/2023-11-01/
and report back any errors to [email protected] .
- If all goes well, you'll have an additional dns log file called
dns.23:59:58-23:59:59.log.gz
in your zeek log directory. You can create a test AC-Hunter
database with it by running:
rita import /full/path/to/dir/with/zeek/logs/ sim_dns_test1
When that finishes importing, take a look at that database; you
should have local hostnames included too.
- If you are doing zone transfers, you need to tell your dns server to
allow this:
#==== For named ====
#Log into the dns server and edit /etc/named.conf . In the section for your domain, like:
#zone "example.org" {
# type master;
# ...
#};
#You need to update the existing allow-transfer line (or create it) so you add the _public_ IP address of the system running this script, like:
# allow-transfer { 1.1.1.1; fe80::1; my.public.ip.address; };
#and run:
#service named reload
#==== For Windows Server 2022 ====
Go to start, server manager, tools, dns
Under forward lookup zone, select the zone you want, right click and go to properties
Select zone transfers tab
Check off allow zone transfers
Select "only to the following servers". Edit server name list. Click to add and add the IP address of the machine running active_dns_lookup.py (*) and press enter. Choose OK.
Click Apply, then OK.
* If that machine is behind a nat device, use the outside IP address of that nat device instead.