nmsg2dnsrec: Add initial implementation of NMSG to JSON converter

ff9051d2 · Radko Krkoš · ff9051d2 · ff9051d2
Commit ff9051d2 authored Jan 30, 2017 by Radko Krkoš
--- a/converters/nmsg2dnsrec/INSTALL
+++ b/converters/nmsg2dnsrec/INSTALL
+nmsg2dnsrec.py dependency installation
+======================================
+
+The NMSG to JSON conversion tool depends on two Python libraries, nmsg and dnslib.
+
+
+Debian based systems
+====================
+
+1. NMSG
+The NMSG library and the Python2 package are provided as packages for Debian (Wheezy) based GNU/Linux installations by their
+author, Farsight Security. Complete installation guide is available at:
+https://www.farsightsecurity.com/Technical/SIE_Software_Installation_Debian/
+
+	Short version:
+	- enable the repository:
+		wget -O /etc/apt/trusted.gpg.d/debian-farsightsec.gpg https://dl.farsightsecurity.com/debian/archive.pubkey
+		echo "deb http://dl.farsightsecurity.com/debian wheezy-farsightsec main" > /etc/apt/sources.list.d/debian-farsightsec.list
+		apt-get update
+	- install the Python extension (and dependencies):
+		apt-get install python-nmsg
+
+2. dnslib
+The dnslib is available as a PyPI package.
+	- install the pip manager:
+		apt-get install python-pip
+	- install dnslib:
+		pip2 install dnslib
+
+3. Usage:
+	cat data.nmsg | ./nmsg2dnsrec.py > data.json
--- a/converters/nmsg2dnsrec/nmsg2dnsrec.py
+++ b/converters/nmsg2dnsrec/nmsg2dnsrec.py
+#!/usr/bin/python
+"""Reads NMSG formated input and writes DNS information for Passive DNS processing"""
+
+import sys
+import itertools
+import nmsg
+from dnslib.dns import DNSRecord, CLASS, QTYPE, DNSError
+
+
+def process_msg(msg):
+    """Processes a NMSG record to extract DNS information"""
+    order = ('rrname', 'rdata', 'rrtype', 'rrclass', 'timestamp')
+
+    dnsrec = dict()
+    dnsrec['timestamp'] = msg.time_sec
+    try:
+        dnsparse = DNSRecord.parse(msg['dns'])
+    except KeyError:    # Not a DNS procedure
+        return
+    except DNSError:    # Malformed DNS payload
+        return
+
+    record_list = list()
+
+    for record in itertools.chain.from_iterable((dnsparse.rr, dnsparse.ar)):
+        dnsrec['rrtype'] = QTYPE.get(record.rtype)
+        if not dnsrec['rrtype'] in ('A', 'AAAA', 'CNAME', 'TXT', 'NXDOMAIN', 'NS', 'SOA', 'PTR', 'MX'):
+            continue
+        dnsrec['rrname'] = '.'.join(record.rname.label)
+        dnsrec['rdata'] = record.rdata.data[0] if dnsrec['rrtype'] == 'TXT' else record.rdata
+        dnsrec['rrclass'] = CLASS.get(record.rclass)
+        record_list.append("{" + ",".join([(('"%s":%i' if isinstance(dnsrec[key], int) else '"%s":"%s"') % (key, dnsrec[key])) for key in order]) + "}")
+    return record_list
+
+def main():
+    """NMSG parsing and user interface"""
+    nmsg_stream = nmsg.input.open_file(sys.stdin)
+    while True:
+        msg = nmsg_stream.read()
+        if msg:
+            records = process_msg(msg)
+            if records:
+                for record in records:
+                    print(record)
+        else:
+            quit()
+
+
+if __name__ == "__main__":
+    main()