Home

Awesome

tunviz.py

DNS Tunnel Detection

Introduction

This application parses a DNS server log entry and looks for signs of DNS Tunnel Activity through the very complicated method of filtering out the crap you don't want and counting the rest.

Requirements

TLDextract is required. Get it at: https://github.com/john-kurkowski/tldextract

Instructions

Command-line arguments
python tunviz.py [-dfq][-b int][-i input_file] -c config_file

-b int          Set how many seconds between beacons (default:5)
-c filename     Location of the config file (default:default.cfg)  
-d              Enable debug mode (default:False)
-f              Use Addtional Noise Filtering (default:False)
-i filename     Location of the file to parse (default:None)
-q              Quiet Mode, only results output (default:False)
Example

python tunviz.py -d -f -b 60 -i log.txt -c default.cfg

It can also take stdin as an input:

cat log1.txt log2.txt | python tunviz.py -q -c default.cfg

Config File

The config file has 2 types of sections, General and Parser

The General section can configure beacon and addtional filter values, but the command-line argument will override them.

The Parser sections contain the following values: