Plugins for DNSMule
Project description
Plugins for DNSMule
It is recommended to look through each module to see what arguments they take.
Certcheck
Arguments:
rules:
- name: certcheck
record: A
type: 'ip.certs'
config:
ports: # Ports to scan
- 443
- 8443
timeout: 1 # timeout for cert fetching
stdlib: false # Prefer STDLIB implementation
callback: false # Whether a callback should be called for resolved domains
Scans any resolved A or AAAA record for certificates from a given list of ports.
There are two ways to scan for certificates, a Python stdlib solution and one with cryptography library parsing certs.
Tags are produced for cert issuer:
IP::CERTS::{rule_name}::ISSUER::{issuer_rfc_string}
More data is available in result.data:
result.data['resolvedCertificates'] = certificates_as_list_of_dicts
See the Certificate dataclass to_json method in certificates.py.
The plugin takes a callback argument for any domains resolved from certificate common and alternative names.
This plugin requires the following dependencies:
cryptography(optional)
IPRanges
Arguments:
rules:
- name: ipranges
record: A
type: 'ip.ranges'
config:
providers: # Lowercase only
- amazon
- google
- microsoft
Scans any resolved A or AAAA record for addresses in the major cloud provider ranges.
Currently, supports the following providers:
- Microsoft
- Google Cloud
- Amazon AWS
Provider IP ranges are refreshed on one hour intervals.
This provides tags like:
IP::RANGES::{rule_name}::{provider}::{service}::{region}
IP::RANGES::SAMPLE_RULE::AMAZON::LAMBDA::US-WEST-1
This plugin requires the following dependencies:
httpx
PTRScan
Arguments:
rules:
- name: ptrscan
record: A
type: 'ip.ptr'
Scans any resolved A or AAAA record for a matching PTR record.
The pointer is used to discover automatically generated cloud provider pointer records for services.
The plugin tries to detect pointer records where the ip of the A or AAAA record is present in any of the following
forms:
- dot separated
- dot separated reversed
- dash separated
- dash separated reversed
- Any of the above anywhere in the string
This resolves to a provider with the prefix removed from the record.
For example a PTR of the form with a rule name sample_rule
123.456.789.000 IN PTR CDN-123-456-789-000.area.hoster.example.com
would produce a tag of the form
IP::PTR::SAMPLE_RULE::AREA.HOSTER.EXAMPLE.COM
Any resolved PTR records are also added to result.data['resolvedPointers'].
Example
In YAML the plugins are placed in their own plugins block:
plugins:
- name: dnsmule_plugins.PTRScanPlugin
- name: dnsmule_plugins.IPRangesPlugin
- name: dnsmule_plugins.CertCheckPlugin
config:
callback: false
Here is an example of how to add a ruleset containing all plugins to a DNSMule instance.
from dnsmule import DNSMule, RRType, Rules
from dnsmule.backends.dnspython import DNSPythonBackend
from dnsmule.loader import load_and_append_rule
from dnsmule_plugins import certcheck, ipranges, ptrscan
mule = DNSMule.make(Rules(), DNSPythonBackend())
certcheck.CertCheckPlugin(callback=False).register(mule)
ipranges.IPRangesPlugin().register(mule)
load_and_append_rule(
mule.rules,
RRType.A,
'ip.certs',
{
'name': 'certcheck',
},
)
load_and_append_rule(
mule.rules,
RRType.A,
'ip.ranges',
{
'name': 'ipranges',
'providers': [
'amazon',
'microsoft',
'google',
]
},
)
ptrscan.PTRScanPlugin().register(mule)
load_and_append_rule(
mule.rules,
RRType.A,
'ip.ptr',
{
'name': 'ptrscan'
},
)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for dnsmule_plugins-0.5.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 4dfdc8c3b82f0a50a621ff35c7179bd740d84372edcf3fe1babf2220569029d3 |
|
| MD5 | e381335ee579d07d72a9ad5cb6c04fe3 |
|
| BLAKE2b-256 | e81f2fd6b67470a7bc3b8fe75fc7124003301401831d081194f19f1dc46f48af |
