analyzer-d4-passivedns is an analyzer for a D4 network sensor including a complete Passive DNS server. The analyser can process data produced by D4 sensors (in passivedns CSV format (more to come)) or independently from D4 using COF websocket streams.

A new version of analyzer-d4-passivedns has been released which includes:

• Feeding from COF websocket stream (independently of D4 collection). A sample COF stream (newly seen IPv6 addresses and DNS records) is included in the documentation and kindly provided by CIRCL.
• Add new back-end for large Passive DNS server kvrocks instead of redis

Main changes

New
~~~
- [launcher] scripts that launch all components in screens -t. [Jean-
  Louis Huynen]

Fix
~~~
- [launcher] Removed hardcoded paths. [airkeyp]
- [launcher] cd in subshell. [Jean-Louis Huynen]

Other
~~~~~
- Merge pull request #7 from axtux/master. [Alexandre Dulaunoy]

  Fix IP/domain stripping and database directory
- Create db directory and correct path. [Axtux]
- Only remove extrema dots. [Axtux]
- Merge pull request #3 from trolldbois/master. [Alexandre Dulaunoy]

  Use Environmental variables for redis
- Back to INFO. [ljaqueme]
- Let be simple. [ljaqueme]
- Superseed config with ENV if available. [ljaqueme]
- Support env for docker. [ljaqueme]

Features of the analyzer-d4-passivedns version 0.1

• A dedicated Passive DNS analyzer for D4 client (passive dns client type 8) to ingest passive DNS records into a Passive DNS COF server
• analyzer can filter out records coming from D4 sensors (such as specific types or records)
• analyzer can set an expiration time for specific DNS record type (to expire common data that should be removed from the Passive DNS after a specific time)
• A Passive DNS server supporting a REST API has been added to allow query and output of the Passive DNS records in COF format.
• A simple PDNS injector to reinject Passive DNS records in COF format (from other Passive DNS server) into the Passive DNS server.