DNS Monitoring Script

Script to monitor dns requests on an interface, can be behind tap and then forward result to syslog for collection. Scripts a bit dirty and probably not very well constructed but appears to do enough.

Main bulk of script unashamedly ripped from

An Ajax-Enhanced Web-Based Ethernet Analyzer

Main Ruby script

dns-watcher.rb

------------------------------------------------------------
#! /usr/bin/ruby -w


# following packages required on ubuntu
# apt-get install rubygems
# gem install net-dns - no longer works as version updated to 0.6 use 0.5.2 from http://rubyforge.org/frs/?group_id=721&release_id=35799
# apt-get install libpcap-ruby*

require 'rubygems'


require 'net/dns/resolver'


require 'syslog'



require 'pcap'

require 'net/dns/packet'

capture = Pcap::Capture.open_live( 'bond0', 1500 )

capture.setfilter( 'udp port 53' )

# NUMPACKETS = 5000

puts "#{Time.now} - BEGIN run."

$log = Syslog.open('dns_logging', Syslog::LOG_PID, Syslog::LOG_LOCAL1)

capture.loop do |packet|

dns_data = Net::DNS::Packet.parse(packet.udp_data)

dns_header = dns_data.header

if dns_header.query? then

print "Device #{packet.ip_src} "
print "(to #{packet.ip_dst}) "
print "at #{Time.now} looking for "
question = dns_data.question
question.inspect =~ /^\[(.+)\s+IN/
puts $1
if $1 != nil
$log.info("dns queried for " + $1)
end

STDOUT.flush

end

end

capture.close

puts "#{Time.now} - END run."

---------------------------------------------------------------

Bash wrapper to start the script

dns-watcher

---------------------------------------------------------------

/bin/bash

case $1 in
start)
echo $$ > /var/run/dns-watcher.pid;
exec 2>&1 ruby /home/dns/dns-watcher.rb 1>/tmp/dns-watcher.out
;;
stop)
kill `cat /var/run/dns-watcher.pid` ;;
*)
echo "usage: dns-watcher {start|stop}" ;;
esac
exit 0

------------------------------------------------------------

Script can be started with

dns-watcher start &

and stopped with

dns-watcher stop &

Sometimes the script unexpected and my lack of coding skills stop me from understanding why so I use Monit to monitor the process and restart it if need be.

Monit config - follow normal rules for getting Monit to work and then add the lines below specifically for the dns-watcher script

--------------------------------------------------------------

# Monitor Ruby process for dns-watcher

check process dns-watcher with pidfile /var/run/dns-watcher.pid


start program = "/home/dns/dns-watcher start &"
stop program = "/home/dns/dns-watcher stop &"

---------------------------------------------------------------

Can use something like phpLogCon to monitor syslog output

BioMetrics Test Report

Its a bit old but is an interesting read nonetheless

pdf

Security policy resource

SANS resource site, covering a wide range of security policies.

http://www.sans.org/security-resources/policies/

Database auditting

A series of links from either securisis.com or pages created by them on database auditting and what to look for.

http://securosis.com/research/database-security

events to look for in the following DB's

SQL Server (pdf)
Sybase (pdf)
DB2 (pdf)
Oracle (pdf)

http://securosis.com/research/publication/database-audit-events/

Minimum events to look for

http://www.darkreading.com/blog/archives/2009/10/database_auditi.html

oracle single sign on product

http://www.v3.co.uk/v3/news/2250631/oracle-rolls-single-sign

[]

Duplicating keys from pictures

Interesting article and piece of research on the ability to photo keys and then replicate them without physical access to them.

PDF paper

sandboxie tool

interesting tool at http://www.sandboxie.com/

used to sandbox apps when running them or sanboxing browsers when surfing