grigorescu · January 25, 2019 06:10
diff --git a/blackhole.bro b/blackhole.bro
 @load base/utils/exec

 module Blackhole;

 export {
 	redef enum Log::ID += { LOG };

 	type Info: record {
 		## The time at which the query was observed
 		ts:            time               &log;
 		## A unique identifier of the connection over which the DNS query was seen
 		uid:           string             &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
 		id:            conn_id            &log;
 		## The transport layer protocol of the connection.
 		proto:         transport_proto    &log;
 		## A 16-bit identifier assigned by the program that generated the DNS query.  Also used in responses to match up replies to
 		trans_id:      count              &log;
 		## The domain name that is the subject of the DNS query.
 		query:         string             &log;
 		## Whether or not the reply was successfully sent.
 		blocked:       bool               &log;
 	}

 	## An event that can be handled to access the :bro:type:`Blackhole::Info`
 	## record as it is sent to the logging framework.
 	global log_blackhole: event(rec: Info);

 	global send_reply: function(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count);
 };


 event bro_init() &priority=5
 	{
 	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_blackhole]);
 	}


 function send_reply(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
 	{
 	if ( qtype != 1 )
 		{
 		# Only A query types are supported
 		return;
 		}

 	if ( qclass != 1 )
 		{
 		# Only IN query classes are supported
 		return;
 		}

 	local cmd = "mausezahn -t dns -A %s -B %s \"q = %s, a=CNAME:3600:%s, id=%d\"";
 	cmd = fmt(cmd, c$id$resp_h, c$id$orig_h, str_shell_escape(query), "blocked.cmu.edu", msg$id);

 	when ( local result = Exec::run([$cmd=cmd]) )
 		{
 		local info: Info;
 		info$ts       = network_time();
 		info$uid      = c$uid;
 		info$id       = c$id;
 		info$proto    = c$proto;
 		info$trans_id = msg$id;
 		info$query    = query;
 		info$blocked  = result$exit_code == 0;
 		Log::write(LOG, info);
 		}
 	}
	@load base/utils/exec

	module Blackhole;

	export {
	redef enum Log::ID += { LOG };

	type Info: record {
	## The time at which the query was observed
	ts: time &log;
	## A unique identifier of the connection over which the DNS query was seen
	uid: string &log;
	## The connection's 4-tuple of endpoint addresses/ports.
	id: conn_id &log;
	## The transport layer protocol of the connection.
	proto: transport_proto &log;
	## A 16-bit identifier assigned by the program that generated the DNS query. Also used in responses to match up replies to
	trans_id: count &log;
	## The domain name that is the subject of the DNS query.
	query: string &log;
	## Whether or not the reply was successfully sent.
	blocked: bool &log;
	}

	## An event that can be handled to access the :bro:type:`Blackhole::Info`
	## record as it is sent to the logging framework.
	global log_blackhole: event(rec: Info);

	global send_reply: function(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count);
	};


	event bro_init() &priority=5
	{
	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_blackhole]);
	}


	function send_reply(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
	{
	if ( qtype != 1 )
	{
	# Only A query types are supported
	return;
	}

	if ( qclass != 1 )
	{
	# Only IN query classes are supported
	return;
	}

	local cmd = "mausezahn -t dns -A %s -B %s \"q = %s, a=CNAME:3600:%s, id=%d\"";
	cmd = fmt(cmd, c$id$resp_h, c$id$orig_h, str_shell_escape(query), "blocked.cmu.edu", msg$id);

	when ( local result = Exec::run([$cmd=cmd]) )
	{
	local info: Info;
	info$ts = network_time();
	info$uid = c$uid;
	info$id = c$id;
	info$proto = c$proto;
	info$trans_id = msg$id;
	info$query = query;
	info$blocked = result$exit_code == 0;
	Log::write(LOG, info);
	}
	}