-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathyop-week46.py
More file actions
101 lines (95 loc) · 4.47 KB
/
yop-week46.py
File metadata and controls
101 lines (95 loc) · 4.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# These are some updates to the Week 45 script
# mostly functions that parse certain parts of the data
#
# by Tom Yarrish
# Version 1.0
#
# Licensed under the GPL
# http://www.gnu.org/copyleft/gpl.html
#
# We need to add the re module for one of the functions
import re
# These functions go in place after line 34 from week 45.
# This parses the opcode value
def dns_opcode_parse(opcode):
dns_opcode = { "Q" : "Standard Query",
"N" : "Notify",
"U" : "Update",
"?" : "Unknown"}
opcode = dns_opcode[opcode]
return opcode
# This parses the DNS Flag Character codes
def dns_flags_parse(flag):
dns_flags = { "A" : "Authoritative Answer",
"T" : "Truncated Response",
"D" : "Recursion Desired",
"R" : "Recursion Available"}
flaglist = list(flag)
flag_values = []
for flag_letter in flaglist:
flag_values.append(dns_flags[flag_letter])
return flag_values
# This removes the (#) from the hostnames and replaces them with periods
def dns_question_name_parse(dns_name):
fix_dns_name = re.sub('\(\d+\)', '.', dns_name)
return fix_dns_name[1:]
# This parses out each line of the DNS file
def dns_record_parse(dns_line):
dns_record = dns_line.split()
if dns_record[4] == "EVENT": # If we have an EVENT line it doesn't have all the fields so we skip it.
return
else:
try:
dns_date = dns_record[0]
dns_time = dns_record[1]
dns_ampm = dns_record[2]
dns_thread_id = dns_record[3]
dns_context = dns_record[4]
dns_internal_packet_ident = dns_record[5]
dns_udp_tcp = dns_record[6]
dns_snd_rcv = dns_record[7]
dns_remote_ip = dns_record[8]
dns_hex_xid = dns_record[9]
if dns_record[10] == "Q":
dns_query_resp = "Query"
dns_opcode = dns_opcode_parse(dns_record[10])
dns_flag_hex = dns_record[11]
# Based on the DNS Response Code, we may have to shift the values of the other fields
if (dns_record[12] == "NOERROR]") or (dns_record[12] == "REFUSED]") or (dns_record[12] == "SERVFAIL]"):
dns_flag_char = "NONE"
dns_resp_code = dns_record[12]
dns_ques_type = dns_record[13]
dns_ques_name = dns_question_name_parse(dns_record[14])
else:
dns_flag_char = dns_flags_parse(dns_record[12])
dns_resp_code = dns_record[13]
dns_ques_type = dns_record[14]
dns_ques_name = dns_question_name_parse(dns_record[15])
else:
dns_query_resp = dns_record[10]
dns_opcode = dns_opcode_parse(dns_record[11])
dns_flag_hex = dns_record[12]
if (dns_record[13] == "NOERROR]") or (dns_record[13] == "REFUSED]") or (dns_record[13] == "SERVFAIL]"):
dns_flag_char = "NONE"
dns_resp_code = dns_record[13]
dns_ques_type = dns_record[14]
dns_ques_name = dns_question_name_parse(dns_record[15])
else:
dns_flag_char = dns_flags_parse(dns_record[13])
dns_resp_code = dns_record[14]
dns_ques_type = dns_record[15]
dns_ques_name = dns_question_name_parse(dns_record[16])
return dns_date, dns_time, dns_ampm,dns_thread_id, dns_context, dns_internal_packet_ident,\
dns_udp_tcp, dns_snd_rcv, dns_remote_ip, dns_hex_xid, dns_query_resp, dns_opcode, dns_flag_hex, \
dns_flag_char, dns_resp_code, dns_ques_type, dns_ques_name
except (IndexError, KeyError): # This handles some Index and Key errors if the line is incomplete
print "Invalid/Incomplete entry"
return
# This replaces lines 48-53 from week 45
with open(args.output_file, 'wb') as csv_output:
csvfile = csv.writer(csv_output, delimiter='\t')
with open(args.backup_file, "r") as new_file:
for line in new_file:
dns_record = dns_record_parse(line)
csvfile.writerow([dns_record[0], dns_record[1], dns_record[2], dns_record[3], dns_record[4], dns_record[5], dns_record[6], dns_record[7], dns_record[8], dns_record[9], dns_record[10], dns_record[11]
, dns_record[12], dns_record[13], dns_record[14], dns_record[15], dns_record[16]])