balboa
balboa copied to clipboard
DCSO
server for indexing and querying passive DNS observations
DNSMonster seems to have had success with using Clickhouse for storage and indexing. It might make sense to investigate its use for balboa as well.
This PR addresses #35, allowing a query for more than one sensor ID in the `entries()` query. This is backwards compatible, since ```graphql query { entries(rdata:"1.2.3.4", sensor_id:["foo"]) { rrname sensor_id...
It would be nice to have GELF (https://docs.graylog.org/en/4.0/pages/gelf.html#gelf-payload-specification) compatible JSON logging output, as an additional logging option.
hi guys! It would be great if you could add time range filter to `entries` query. For example: request entries that have `time_first_rfc3339` later than some `start` param but `time_last_rfc3339`...
Suricata will get support for more DNS data from its parser: https://github.com/OISF/suricata/pull/5331 We need to make sure that this does not impact the Suricata feeder and also make use of...
It should be possible to purge data from a database, selected via some matching indicator. An example would be deleting all observations from a specific sensor ID.
Perhaps it is a good idea to see whether one could use https://github.com/google/oss-fuzz to fuzz-test the feeder components and the C backend.
At the moment, we have some first unit tests. This is fine to check correctness at a fine granularity. It would be nice as well to have a test case...
Properly handle AAAA records in https://github.com/DCSO/balboa/blob/a1bb4c5fa9ebd6c850f43ca57784f6620e9b1d9f/format/format_nmsg.go#L66-L79
At least for the FEVER input, the feeder receives the IP of the answering DNS server. It could be useful to be able to store and query these data in...