#Tool
BotDAD

#Link
https://github.com/mannirulz/BotDAD

#Description
Tool for Anomaly based Botnet detection using DNS traffic analysis. It is under development but its most basic functionality has been useful.
Here, it is used as a DNS Fingerprint tool and request/response logging tool.

#Usage
As the tool only accepts DNS traffic pcaps, tshark from Wireshark has been used with the following command to create a onlydns.pcap file based on the original pcap file from the tcpdump folder. For this, the following command has been used:

tshark -r capture.pcap -F pcap -Y dns -t ad -w onlydns.pcap

In the command we specify with the -F option the output format, the -Y display-filter option to filter by dns and the -t timestamp format option to be absolute and with date. More information on the manual page: https://www.wireshark.org/docs/man-pages/tshark.html
Note that the tool works with 1h max pcaps, so if the capture covers a longer time it might be necessary to edit the onlydns.pcap file. This may be accomplished by using the editcap command also from wireshark. This has not been the case here so it has not been tested.

Once the onlydns.pcap file is ready it just comes to executing the program (the main.py with Python 2.7.9) and automatically the DNS_FP.csv file as well as the request/response/log CSV files are created.

#Input
capture_date.pcap file from tcpdump folder turned into a onlydns.pcap file.

#Output
capture.pcap_log.csv with basic information about the processed capture.
capture.pcap_req.csv with the requests’ information. Headers are not present but are the following: tokenID, hostname, url, nbr_of_tokens, request_type, url_len,  timestamp, dns_server_ip
capture.pcap_res.csv with the responses’ information. Headers are not present but are the following: tokenID, hostname, url, res_code, request_type, ttl, resolved_ip, timestamp
DNS_FP.csv file where statistics about the dns queries appear for the involved hosts.

