Hi there,
i’ve read this article from mr. koopmann with quite some interest: https://www.graylog.org/blog/72-tapping-wires-for-lean-security-monitoring-dns-request-analysis-with-open-source-software
sadly it stops where it gets exicting… and there is no follow up (even it was promised :D)
i have this message and i want to check it against a blacklist of domains.
08-Nov-2017 10:44:15.798 client 1.1.1.1#11111 (graph.facebook.c om): query: graph.facebook.c om IN A + (1.1.1.1)
this is my pipeline rule:
rule “DNS_Check_Blacklist”
when
has_field(“DNS_Domain”)
then
set_field(“DNS_Domain_Malicious”, lookup_value(“dns_blacklist”, $message.DNS_Domain));
end
my lookup-table is like this:
“domain”,“true”
my problem is this: if i do check my message against a lookup-table it works if the domain is exactly what is inside the lookup-table!
Table: graph.facebook.c om
Query: graph.facebook.c om → works
Table: facebook.c om
Query: graph.facebook.c om → doesnt work
while it is logic to me why it doesnt work, i cant imagine another way to get it work like i want it to.
I thought about another solution and came up with this: i could try to normalize the DNS_Domain field and create new fields like this:
DNS_Domain: facebook
DNS_TopLevel: com
DNS_SubDomain: graph
I could change the lookup-table to contain the new fields domain, toplevel, true and do a multi-value-lookup, but this doesnt feel like the right way to do it. And even if i am doing it like that the rule for extracting the new fields would be quite complex i guess (what should happen if the query looks like this: www.graph.facebook.c om or graph.facebook.co.u k). Does someone got the same problem and found a good solution for it?
sorry for formating the urls… i cant post more than two links…