dnstun

package module
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 8, 2020 License: MIT Imports: 15 Imported by: 0

README

dnstun

dnstun - enable DNS tunneling detection in the service queries.

Build Status

Description

With dnstun enabled, users are able to detect data exfiltration through DNS tunnels.

Syntax

dnstun {
    runtime  HOST:PORT
    detector forward|reverse DETECTOR:VERSION
}

  • runtime specifies the endpoint in HOST:PORT format to the remote model runtime. This runtime should comply with e.g. tensorcraft HTTP interface.

  • detector is a directive to configure detector. Option forward instructs the plugin to treat higher probability in the second element of prediction tuple as DNS tunnel, while reverse tells that first element in the prediction tuple identifies DNS tunnel.

Examples

Here are the few basic examples of how to enable DNS tunnelling detection. Usually DNS tunneling detection is turned only for all DNS queries.

Analyze all DNS queries through remote resolver listening on TCP socket.

.  {
    dnstun {
        # Connect to the runtime that stores model and executes it.
        runtime 10.240.0.1:5678

        # Choose detector and it's version.
        detector reverse dns_cnn:latest
    }
}

Documentation

Index

Constants

View Source 
const (
	// MappingForward means that first element in the prediction tuple
	// is a probability of associating DNS query to the "good" domain
	// names. The second element is a probability of "bad" domain.
	MappingForward = "forward"

	// MappingReverse is reversed representation of probabilities in
	// the prediction tuple returned by the model.
	MappingReverse = "reverse"
)

Variables

View Source 
var (
	// DefaultTransport is a default configuration of the Transport.
	DefaultTransport http.RoundTripper = &http.Transport{
		Proxy: http.ProxyFromEnvironment,
		DialContext: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
			DualStack: true,
		}).DialContext,
		MaxIdleConns:          100,
		IdleConnTimeout:       90 * time.Second,
		TLSHandshakeTimeout:   10 * time.Second,
		ExpectContinueTimeout: 1 * time.Second,
	}

	// DefaultClient is a default instance of the HTTP client.
	DefaultClient = &http.Client{
		Transport: DefaultTransport,
	}
)

Functions

This section is empty.

Types

type Dnstun 

type Dnstun struct {
	// contains filtered or unexported fields
}

Dnstun is a plugin to block DNS tunneling queries.

func NewDnstun 

func NewDnstun(opts Options) *Dnstun

NewDnstun creates a new instance of the DNS tunneling detector plugin.

func (*Dnstun) Name 

func (d *Dnstun) Name() string

func (*Dnstun) ServeDNS 

func (d *Dnstun) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

type Options 

type Options struct {
	Mapping string
	Model   string
	Version string
	Runtime string
}

type PredictRequest 

type PredictRequest struct {
	Instances [][]int `json:"instances"`
}

PredictRequest is a request to get predictions for the given attribute vectors.

type PredictResponse 

type PredictResponse struct {
	Predictions [][]float64 `json:"predictions"`
}

PredictResponse lists probabilities for each attribute vector.

type Tokenizer 

type Tokenizer struct {
	// contains filtered or unexported fields
}

func NewTokenizer 

func NewTokenizer(alphabet string, maxChars int) Tokenizer

func (Tokenizer) TextToSeq 

func (t Tokenizer) TextToSeq(text string) []int

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.