DomainStats

We're currently working on integrating DomainStats, (a dockerized version of Mark Baggett's domain_stats.py, found at https://github.com/MarkBaggett/domain_stats) into Security Onion with our move to the Elastic stack.

Thanks to Justin Henderson for all his work with the DomainStats docker image!

From https://github.com/SMAPPER/docker_domain_stats:

Description

This docker image runs domain_stats.py. This is a python service that is designed to perform mass domain analysis. It can do things such as find the creation_date of a domain and identify if a domain is a member of the Alexa/Cisco Umbrella top 1 million sites.

It was developed to be used in conjunction with a SIEM and is in production environments. Specifically, it has been used in conjunction with the Elastic Stack, such as queried by Logstash, with large success.

Configuration

Updating Top-1m file

From https://github.com/SMAPPER/docker_domain_stats#updating-top-1m-file:

The docker image does not currently automatically update the top-1m.csv. The below example shows how to download a new top 1 million site list and have a domain_stats container use it. This could be scheduled as a cron job on your host to keep a current Alexa/Cisco Umbrella top-1m.csv in use.

wget -q http://s3.amazonaws.com/alexa-static/top-1m.csv.zip; unzip top-1m.csv.zip;      
sudo docker cp top-1m.csv container_name_goes_here:/opt/domain_stats/top-1m.csv      
sudo docker restart so-domainstats      

For information how to modify configuration for DomainStats, consult the following:
https://github.com/SMAPPER/docker_domain_stats

DomainStats logs can be found in /var/log/domain_stats/.