Skip to content
/ pihole-checklogs Public

An helper script to check Pi-hole logs for given network IOCs (domains/FQDNs, or IPs)

License

AGPL-3.0 license
8 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

securechicken/pihole-checklogs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits

.github

.github

 
 

.gitattributes

.gitattributes

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

pihole-checklogs.sh

pihole-checklogs.sh

 
 

Repository files navigation

pihole-checklogs.sh

A standalone Bash Pi-hole helper script, to check Pi-hole FTL-DB and DNS logs for a list of given domains/IPs, in order to determine if they have ever been queried by Pi-hole system. This is notably useful to investigate on (or check for) possible compromise, based on a list of network indicators of compromise (IOCs).

This script was initially proposed as a Pi-hole CLI addition, to be used as pihole checklogs, but maintainers did not deemed such functionality to be in scope. It is provided as a standalone script.

Requirements

A fully working Pi-hole environment (host), with Bash 4+, GNU grep and zcat.

Installation

Just download a copy of the script from the latest release, and put it somewhere in your Pi-hole host. Get sure the script is executable then (chmod +x /path/to/pihole-checklogs.sh).

In order to be able to run the script as a binary from anywhere in your host without specifying a full path, you can link the script in a repository from your Bash $PATH, e.g.: sudo ln -s /path/to/pihole-checklogs.sh /usr/local/bin/pihole-checklogs.

Usage

Just check /path/to/pihole-checklogs.sh --help:

Usage: pihole-checklogs.sh {--help|-h, <IOCs list> (--nosubs) (--results) (--info)}

Check Pi-hole FTL-DB and DNS logs for a list of given domains/IPs, in order to
determine if they have ever been queried by Pi-hole systems.
This is notably useful to investigate on (or check for) possible compromise, based
on a list of network indicators of compromise (IOCs).

-h, --help:   shows command-line usage info.
<IOCs list>:  a path to a file containing FQDNs, domains or IPv4/6 (one per line)
              with optional [.] defanging.
              The script will first search domains/FQDNs (and their subdomains by
              default) in Pi-hole's long term data (FTL DB). If matches are found, they
              are then searched in Pi-hole's DNS queries log (which is generated by
              dnsmasq by default) to obtain the queries' dates, clients and resolved
              IPs. IPv4/6 are searched as resolutions in the DNS logs directly.
--nosubs:     optional flag. If set, subdomains of the given domains/FQDNs are not
              searched.
--results:    optional flag. Show detailed results without prompting the user.
--info:       optional flag. Show more info messages.

About

An helper script to check Pi-hole logs for given network IOCs (domains/FQDNs, or IPs)

Topics

dns logs pi-hole standalone cybersecurity iocs pihole-checklogs

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

8 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 4

v1.1.1 Latest
Jun 7, 2023
+ 3 releases

Sponsor this project

Languages