dnsMole is designed to analyse dns traffic, and to potentionaly detect botnet C&C server and infected hosts. It can be used as passive sniffer, and it can analyse already sniffed network traffic dumped in .pcap file format. Algorithms implemented in this tool are based on research and can viewed in following papers:

1. Anomaly detection for DNS Servers using frequent host selection 2. Botnet detection by monitoring group activities in DNS traffic 3. Extending black domain name list by using co-occurrence relation between DNS queres

Since all this methods heavily depends on treshold parameters, you can define your own parameters in dnsMole configuration file and in that way increase ( or decrease :) ) chances of positive detection. dnsMole support storing black/white list in memory and in that way it can help classify hosts.

svn checkout http://dns-mole.googlecode.com/svn/trunk/ dns-mole-read-only

sudo apt-get install libsqlite3-dev libsqlite3-0

sudo apt-get install libevent-core-1.4-2 libevent-dev libevent-1.4-2

#detection based on group activity aAnalyzeInterval 1200 -- interval for collecting dns packets for activity method aDrop 5 -- remove fqdn from structure if it is queried less than n different hosts aBlackSimilarity 0.8 -- report black if similarity is higher or equal aWhiteSimilarity 0.1 -- report white if similarity is less or equal #detection based on host co-occurrence oAnalyzeInterval 600 -- interval for collecting dns packets for co-occurrence method oBlackIpTreshold 0.5 -- report host is infected if ratio (queried_black/queried_all) is higher or equal oWhite 0.1 -- report white if index is less or equal oBlack 0.9 -- report black if index is higher or equal # Subnet where program is going to be run nSubnet 16 -- define subnet where program is running, used for storing hosts ip in hash table #detection based on statistics sThresholdTotal 5 -- the threshold for the number of a host's queries/responses for a time period sThresholdPTR 5 -- for the number of PTR queries sThresholdMX 5 -- for the number of MX queries sThresholdBalance 0.9 -- for the difference between the number of queries and responses sThresholdPTRRate 0.9 -- for the rate of PTR queries sThresholdMXRate 0.9 -- for the rate of MX queries sClassifyInterval 30 -- period to classify queries into host's statistics sAnalyzeInterval 1800 -- the interval to collect data before sending to analyze

dnsMole requires that you must run program as root in sniffer mode, but otherwise for pcap analysis it isn't required. 1. pcap analysis ~ example.pcap for analysis with method 1 and put in background use bl.txt as blacklist $ dnsmole -c doc/dnsmole.conf -p example.pcap -b bl.txt -t 1 -d ~ example.pcap for analysis with method 2, pcap interval is n, and use bl.txt as blacklist and wl.txt as whitelist $ dnsmole -c doc/dnsmole.conf -p example.pcap -b bl.txt -w wl.txt -t 2 -a n 2. sniffer mode ( root privileges ) ~ use wlan0 as interface with wl.txt as whitelist, define log001 as output log and use method 3, put in background # dnsmole -i wlan0 -s -d -c doc/dnsmole.conf -w wl.txt -l log001 -t 3 3. combined ( root privileges ) ~ first use analysis on example.pcap and than run sniffer in background # dnsmole -t 2 -a n -p example.pcap -w wl.txt -b bl.txt -s -d -i wlan0 -l dnsmoleLog

# dnsmole -c /etc/dnsmole/dnsmole.conf -i eth1 -b bl.txt -w wl.txt -t 1 -s