rule “dns_container_tag”
when
has_field(“subsystem”) &&
has_field(“protocol_id”) &&
to_string($message.subsystem) == “RT_FLOW” &&
to_string($message.protocol_id) == “17” &&
(
(
has_field(“src_port”) &&
to_string($message.src_port) == “53” &&
has_field(“src_zone”) &&
to_string($message.src_zone) == “v900_SMVN”
) ||
(
has_field(“dst_port”) &&
to_string($message.dst_port) == “53” &&
has_field(“dst_zone”) &&
to_string($message.dst_zone) == “v900_SMVN”
)
)
then
// DNS Response
if (has_field(“src_port”) && to_string($message.src_port) == “53”) {
set_field(“dns_container”, “DNS_R”);
}
// DNS Query
else if (has_field(“dst_port”) && to_string($message.dst_port) == “53”) {
set_field(“dns_container”, “DNS_Q”);
}
else {
set_field(“dns_container”, “unknown”);
}
end
Hello @vikassingh27,
Do you have an example log message to test against the rule?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.