diff --git a/docs/workshop/4-passive-dns/d4-introduction.pdf b/docs/workshop/4-passive-dns/d4-introduction.pdf index bf95219..3df2a08 100644 Binary files a/docs/workshop/4-passive-dns/d4-introduction.pdf and b/docs/workshop/4-passive-dns/d4-introduction.pdf differ diff --git a/docs/workshop/4-passive-dns/d4-introduction.tex b/docs/workshop/4-passive-dns/d4-introduction.tex index 9440a44..de2f12b 100644 --- a/docs/workshop/4-passive-dns/d4-introduction.tex +++ b/docs/workshop/4-passive-dns/d4-introduction.tex @@ -58,6 +58,119 @@ \includegraphics[scale=0.38]{d4-overview.pdf} \end{frame} + +\begin{frame}[t]{Common Output Format} +\begin{itemize} +\item {\bf Consistent naming of fields across Passive DNS software} based on the most common Passive DNS implementations +\item Minimal set of fields to be supported +\item Minimal set of optional fields to be supported +\item Way to add "additional" fields via a simple registry mechanism (IANA-like) +\item Simple and easily parsable format +\item A gentle reminder regarding privacy aspects of Passive DNS +\end{itemize} +\end{frame} + +\begin{frame}[t,fragile]{Sample output www.terena.org} +\lstdefinelanguage{JavaScript}{ + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} + +\lstset{ + language=JavaScript, + backgroundcolor=\color{lightgray}, + extendedchars=true, + basicstyle=\footnotesize\ttfamily, + showstringspaces=false, + showspaces=false, + numbers=left, + numberstyle=\footnotesize, + numbersep=9pt, + tabsize=2, + breaklines=true, + showtabs=false, + captionpos=b +} +\lstset{breaklines=true, language=JavaScript} +\begin{lstlisting} +{"count": 868, "time_first": 1298398002, "rrtype": "A", "rrname": "www.terena.org", "rdata": "192.87.30.6", "time_last": 1383124252} +{"count": 89, "time_first": 1383729690, "rrtype": "CNAME", "rrname": "www.terena.org", "rdata": "godzilla.terena.org", "time_last": 1391517643} +{"count": 110, "time_first": 1298398002, "rrtype": "AAAA", "rrname": "www.terena.org", "rdata": "2001:610:148:dead::6", "time_last": 136670845} +\end{lstlisting} +\end{frame} + + +\begin{frame}[t]{Mandatory fields} +\begin{itemize} +\item \textbf{rrname} : name of the queried resource records +\begin{itemize} +\item JSON String +\end{itemize} +\item \textbf{rrtype} : resource record type +\begin{itemize} +\item JSON String (interpreted type of resource type if known) +\end{itemize} +\item \textbf{rdata} : resource records of the query(ied) resource(s) +\begin{itemize} +\item JSON String or an array of string if more than one unique triple +\end{itemize} +\item \textbf{time\_first} : first time that the resource record triple (rrname, rrtype, rdata) was seen +\item \textbf{time\_last} : last time that the resource record triple (rrname, rrtype, rdata) was seen +\begin{itemize} +\item JSON Number (epoch value) UTC TZ +\end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}[t]{Optional fields} +\begin{itemize} +\item \textbf{count} : how many authoritative DNS answers were received by the Passive DNS collector +\begin{itemize} +\item JSON Number +\end{itemize} +\item \textbf{bailiwick} : closest enclosing zone delegated to a nameserver served in the zone of the resource records +\begin{itemize} +\item JSON String +\end{itemize} + +\end{itemize} +\end{frame} + +\begin{frame}[t]{Additionals fields} +\begin{itemize} +\item \textbf{sensor\_id} : Passive DNS sensor information +\begin{itemize} +\item JSON String +\end{itemize} +\item \textbf{zone\_time\_first} : specific first/last time seen when imported from a master file +\item \textbf{zone\_time\_last} +\begin{itemize} +\item JSON Number +\end{itemize} +\item Additional fields can be requested via \url{https://github.com/adulau/pdns-qof/wiki/Additional-Fields} +\end{itemize} +\end{frame} + +\begin{frame}[t]{Future} +\begin{itemize} + \item {\bf Mixing models for passive DNS stream} (for privacy) in next version of D4 core server + \item Interconnecting private D4 sensor networks with other D4 sensor networks (sharing to partners filtered stream) + \item Previewing dataset collected in D4 sensor network and providing {\bf open data stream} (if contributor agrees to share under specific conditions) +\end{itemize} + +\end{frame} + + \begin{frame} \frametitle{Get in touch if you want to join/support the project, host a passive dns sensor or contribute} \begin{itemize}