Graylog DNS Blacklisting

Hi there,

i’ve read this article from mr. koopmann with quite some interest: https://www.graylog.org/blog/72-tapping-wires-for-lean-security-monitoring-dns-request-analysis-with-open-source-software

sadly it stops where it gets exicting… and there is no follow up (even it was promised :D)

i have this message and i want to check it against a blacklist of domains.

08-Nov-2017 10:44:15.798 client 1.1.1.1#11111 (graph.facebook.c om): query: graph.facebook.c om IN A + (1.1.1.1)

this is my pipeline rule:

rule “DNS_Check_Blacklist”
when
has_field(“DNS_Domain”)
then
set_field(“DNS_Domain_Malicious”, lookup_value(“dns_blacklist”, $message.DNS_Domain));
end

my lookup-table is like this:

“domain”,“true”

my problem is this: if i do check my message against a lookup-table it works if the domain is exactly what is inside the lookup-table!

Table: graph.facebook.c om
Query: graph.facebook.c om → works

Table: facebook.c om
Query: graph.facebook.c om → doesnt work

while it is logic to me why it doesnt work, i cant imagine another way to get it work like i want it to.
I thought about another solution and came up with this: i could try to normalize the DNS_Domain field and create new fields like this:

DNS_Domain: facebook
DNS_TopLevel: com
DNS_SubDomain: graph

I could change the lookup-table to contain the new fields domain, toplevel, true and do a multi-value-lookup, but this doesnt feel like the right way to do it. And even if i am doing it like that the rule for extracting the new fields would be quite complex i guess (what should happen if the query looks like this: www.graph.facebook.c om or graph.facebook.co.u k). Does someone got the same problem and found a good solution for it?

sorry for formating the urls… i cant post more than two links…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.