
Zeek::generic_dns_tunnel
=================================

# generic_dns_tunnel

This is a Zeek package to detect DNS tunnels, generically.

Step 1:  Install this package with zkg.

Step 2:  Use this module with:

@load generic_dns_tunnel

Step 3:  Enjoy!

Note that if use_periodic_compute_job == F (default) and use_proxies_instead == T (default), entries
in the generic_dns_tunnels.log may not appear for up to 24 hours (capture_time). This is expected
behavior given the nature of the generic DNS detection algorithm.

Note that the most current tld-data.bro script can be downloaded from:

https://github.com/jbaggs/tld-data

More info on the TLD package:

https://github.com/sethhall/domain-tld/blob/master/scripts/main.bro

More ideas on LibArchive:

https://gitlab.com/corelight/engineering/nti/sensor-core/sensor-core/-/blob/master/plugins/corelight-archive-analyzer-plugin/CMakeLists.txt