Export icmp and dns data

haka-security · Sep 24, 2014 · b821c73 · b821c73
1 parent b3d0388
commit b821c73
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/module/dns.lua b/module/dns.lua
@@ -0,0 +1,18 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+local dns = require('protocol/dns')
+
+dns.install_udp_rule(53)
+
+haka.rule{
+	hook = dns.events.query,
+	eval = function (dns, query)
+		hakabana:insert('hakabana', 'dns', nil, {
+			['@timestamp'] = hakabana:timestamp(haka.network_time()),
+			query = query.question['name'],
+			flow = dns.flow.flowid
+		})
+	end
+}
diff --git a/module/init.lua b/module/init.lua
@@ -32,6 +32,7 @@ function module.initialize(config)
 		require('/misc/hakabana/packet')
 		require('/misc/hakabana/flow')
 		require('/misc/hakabana/http')
+		require('/misc/hakabana/dns')
 	else
 		error("missing elastic search config")
 	end

diff --git a/module/packet.lua b/module/packet.lua
@@ -4,6 +4,7 @@
 
 local raw = require('protocol/raw')
 local ipv4 = require('protocol/ipv4')
+local icmp = require('protocol/icmp')
 local tcp = require('protocol/tcp')
 local udp = require('protocol/udp')
 
@@ -35,6 +36,14 @@ haka.rule{
 	end
 }
 
+haka.rule{
+	hook = icmp.events.receive_packet,
+	eval = function (pkt)
+		local data = pkt.ip.raw.data
+		data.type = 'icmp'
+	end
+}
+
 haka.rule{
 	hook = tcp.events.receive_packet,
 	eval = function (pkt)