Last active
July 17, 2021 06:25
-
-
Save honoki/ac4587d4b4a7857dd4a058518c3031f8 to your computer and use it in GitHub Desktop.
Monitor bind9 logs and push queries to Slack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import requests | |
| def is_blacklisted(domain): | |
| blacklist = open("blacklist.txt") | |
| return domain in [w.strip() for w in blacklist.readlines()] | |
| # Avoid Slack expanding your links by replacing the last dot. | |
| def escape_domain(domain): | |
| return domain.replace('yourdomain.com', 'yourdomain[.]com') | |
| def watch(fn): | |
| fp = open(fn, 'r') | |
| fp.seek(0,2) # start watching from the end of the file | |
| while True: | |
| new = fp.readline() | |
| if new: | |
| parts = new.split(' ') | |
| yield (parts[7].lower(), parts[9], parts[4]) | |
| else: | |
| time.sleep(0.5) | |
| queries = '/var/log/named/queries.log' | |
| for domain, type, fromip in watch(queries): | |
| print domain, type, fromip | |
| if 'yourdomain.com' not in domain: | |
| print "illegal request" | |
| elif is_blacklisted(domain): | |
| print "blacklisted - skipping" | |
| else: | |
| requests.post('https://hooks.slack.com/services/.../.../...', json={'text': '[dns] ['+type+'] '+escape_domain(domain)+ ' from '+fromip}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This has been integrated in https://github.com/honoki/wilson-cloud-respwnder