flagranterror · August 29, 2015 14:03
diff --git a/gistfile1.py b/gistfile1.py
 #!/opt/local/bin/python

 BLOCK_THRESHOLD = 1000

 from scapy.all import rdpcap,DNSQR
 from sys import argv

 # FIXME: Idiot proof this. 
 packets = rdpcap(argv[1]) 

 domains = {}

 def phex(i):
 	return "{0:0{1}x}".format(i,2)
 	
 def hex_qname(qname):
 	res = []
 	for x in qname.split('.'):
 		if len(x) > 0:
 			res.append(phex(len(x)))
 			res.append(x.encode('hex'))
 	
 	return "".join(res)
 		

 for pkt in packets: 
 	if DNSQR in pkt:
 		try:
 			domains[pkt[DNSQR].qname][0] += 1
 		except:
 			domains[pkt[DNSQR].qname] = [1,hex_qname(pkt[DNSQR].qname)]
 			
 				
 for k,v in domains.iteritems():
 	if v[0] > BLOCK_THRESHOLD:
 		print ("-A INPUT -p udp -m string --hex-string "
 			  "\"|{1[1]}|\" --algo bm --dport 53 -j DROP -m comment "
 			  "--comment \"DROP DNS Q {0}\"".format(k,v))
	#!/opt/local/bin/python

	BLOCK_THRESHOLD = 1000

	from scapy.all import rdpcap,DNSQR
	from sys import argv

	# FIXME: Idiot proof this.
	packets = rdpcap(argv[1])

	domains = {}

	def phex(i):
	return "{0:0{1}x}".format(i,2)

	def hex_qname(qname):
	res = []
	for x in qname.split('.'):
	if len(x) > 0:
	res.append(phex(len(x)))
	res.append(x.encode('hex'))

	return "".join(res)


	for pkt in packets:
	if DNSQR in pkt:
	try:
	domains[pkt[DNSQR].qname][0] += 1
	except:
	domains[pkt[DNSQR].qname] = [1,hex_qname(pkt[DNSQR].qname)]


	for k,v in domains.iteritems():
	if v[0] > BLOCK_THRESHOLD:
	print ("-A INPUT -p udp -m string --hex-string "
	"\"\|{1[1]}\|\" --algo bm --dport 53 -j DROP -m comment "
	"--comment \"DROP DNS Q {0}\"".format(k,v))