forked from sethhall/bro-domain-generation
-
Notifications
You must be signed in to change notification settings - Fork 1
/
g01pack.bro
85 lines (70 loc) · 2.69 KB
/
g01pack.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
##! Domain generation algorithm based detection for g01pack.
##!
##! Ported from ruby script found here:
##! https://gist.github.com/jedisct1/5149014
##! Which was ported from the javascript script found here:
##! http://www.malwaredomainlist.com/forums/index.php?topic=4962.0
##!
##! Requires: Bro 2.1+
##! Author: Seth Hall <[email protected]>
##!
@load ./utils
module DomainGeneration;
export {
## These are the current names based on the number of hours being offset
## and calculated.
global g01pack_current_names: set[string] = set();
redef enum Kit += { G01PACK };
}
## Domain segments for g01pack. Probably don't want to touch these.
global g01pack_domains = vector(".doesntexist.com", ".dnsalias.com", ".dynalias.com");
global g01pack_dicts: table[count] of vector of string = table();
function generate_g01pack_name(dict: vector of string, offset: interval): string
{
local ts = strftime("%Y %m %d %H", network_time_for_strftime() + offset);
local parts = split(ts, / /);
local c0 = to_count(parts[4]);
local c1 = to_count(parts[3]) + c0;
local c2 = to_count(parts[2]) + c1 - 1;
local c3 = to_count(parts[1]) + c2;
local d0 = c0 % |dict|;
local d1 = c1 % |dict|;
local d2 = c2 % |dict|;
local d3 = c3 % |dict|;
if ( d0 == d1 )
d1 = (d1+1) % |dict|;
if ( d1 == d2 )
d2 = (d2+1) % |dict|;
if ( d2 == d3 )
d3 = (d3+1) % |dict|;
local domain = g01pack_domains[(c0 % |g01pack_domains|)];
local subdomain = dict[d0] + dict[d1] + dict[d2] + dict[d3];
return subdomain + domain;
}
function generate_g01pack_names(): set[string]
{
local results: set[string] = set();
for ( offset in hour_offsets )
{
for ( dict in g01pack_dicts )
{
local d = generate_g01pack_name(g01pack_dicts[dict], offset);
add results[d];
domains[d] = G01PACK;
}
}
return results;
}
event update_g01pack_current_names()
{
g01pack_current_names = generate_g01pack_names();
# We don't have a mechanism to schedule things for a certain time yet
# so we'll just run this every 5 minutes.
schedule 5mins { update_g01pack_current_names() };
}
event bro_init()
{
g01pack_dicts[1] = vector("t","speed","off","q","ask","why","portal","un","m","is","po","le","us","order","host","na","p","own","call","as","j","o","old","no","si","h","ad","e","r","g","to","cat","n","ko","how","i","tu","l","d","in","on","da","b","ri","f","try","a","k","for","me","net","c","s");
g01pack_dicts[2] = vector("as","un","si","speed","no","r","in","me","da","a","o","c","try","to","n","h","call","us","why","q","k","old","j","g","how","ri","i","net","t","ko","tu","host","on","ad","portal","na","order","b","ask","l","s","d","po","cat","for","m","off","own","e","f","p","le","is");
event update_g01pack_current_names();
}