###############################################################################
#Iquery Exploit Detector.
# 
#	-sili@l0pht.com
#
###############################################################################

the_schema= library_schema:new( 1, [ "time","ip","ip","str"],
                scope() );

filter TCPpackets tcp(client, dport: 53)
{
	$qid = long(ip.blob,18);
#	echo ("Query ID = ",$qid,"\n");

	$opcode = (long(ip.blob,20) >> 11) & 0x7fff;
#	echo ("Opcode = ",$opcode,"\n");

	$rd = (long(ip.blob,20) & 0x1FF ) >> 8 ;
#	echo ("RD = ",$rd,"\n");

	$ra = (long(ip.blob,20) & 0xFF ) >> 7 ;
#	echo ("RD = ",$rd,"\n");

	if ( ($qid == 31337) & ($opcode == 1) & 
		($rd == 1) & ($ra == 1))
	{
		$reason = "Exploit! Inverse Query, Query ID = 31337!";
		echo ($reason,"\n");
		record system.time, ip.src, ip.dst,
		$reason to the_recorder;	
		
	}

	else if ( ($opcode == 1) )
	{
		$reason = "Inverste Query on TCP port 53!";
#		echo ($reason,"\n");
		record system.time, ip.src, ip.dst,
		$reason to the_recorder;	
	}

}

the_recorder=recorder("bin/histogram packages/test/iquery.cfg", 
	"the_schema");