Pertaining to my other thread since that one is closed I need to open a new one.
Here is the info
DNS RPZ Stream
Stream ID = 5b9e7dfdc4445a03714dfd72
Field = qdomain
String = sway.office.com
***********
AD logs Stream => Remote stream
Stream ID = 5d7f8e434980dd02c2fffb34
Field = packetbeat_dns_question_name
String = packetbeat_client_ip
As per above, I need to find out if qdomain Field from stream [5b9e7dfdc4445a03714dfd72] matches with packetbeat_dns_question_name from [5d7f8e434980dd02c2fffb34] then return recent packetbeat_client_ip from [5d7f8e434980dd02c2fffb34]
Here is my rule
rule "find_orig_client_ip - new"
when
has_field ("qdomain")
then
let orig_client_ip = slookup("5d7f8e434980dd02c2fffb34", "qdomain", "packetbeat_dns_question_name", ["packetbeat_client_ip"], "180", "desc");
set_field("packetbeat_client_ip", to_string(orig_client_ip));
end
I am not able to get the proper results. My queries are -
I am attaching this pipeline to DNS RPZ stream [5b9e7dfdc4445a03714dfd72] so per slookup help
Remote stream => 5d7f8e434980dd02c2fffb34
srcField => qdomain
dstField => packetbeat_dns_question_name
rtnField => packetbeat_client_ip
You could loop back into graylog with a python or powershell micro-service.
I do it with AD lookups, nothing says you couldn’t do it by circling back to graylog.
Basically:
Python (bottle is super easy) listening at http://some_server/dns_loopback?client=XYZ
Python does a curl search on graylog and spits out the result.
Set up a lookup table using the url - and carefully monitor performance and watch for loops.
You could do it in powershell as well.
I think a custom solution is the only thing that’s going to do what you’re asking. It seems like an extremely odd request - though. What, specifically, are you trying to do - maybe there is a better option, logically? I really don’t follow your architecture.
You want the original Client IP from a DNS query to a sinkhole server, right? Is it not in the DNS logs on the sinkhole server? It should be.
Are you trying to find the DNS logs that are querying for invalid domains or only valid ones? Look at the DNS respones in the same stream.
Does your lookup logic break if two different machines query the same domain (internal.corp or whatever?) I mean, you’re trying to match a DNS query to another log source - using the queried domain as your unique key - that seems easily broken.
What is the end goal of this? Maybe draw me a picture, I’m a manager after all - I need crayons and glitter.