Still my pipeline is not working - And need help badly

Hi Team,

Pertaining to my other thread since that one is closed I need to open a new one.

Here is the info

DNS RPZ Stream
Stream ID = 5b9e7dfdc4445a03714dfd72
Field = qdomain
String =
AD logs Stream => Remote stream
Stream ID = 5d7f8e434980dd02c2fffb34
Field = packetbeat_dns_question_name
String = packetbeat_client_ip

As per above, I need to find out if qdomain Field from stream [5b9e7dfdc4445a03714dfd72] matches with packetbeat_dns_question_name from [5d7f8e434980dd02c2fffb34] then return recent packetbeat_client_ip from [5d7f8e434980dd02c2fffb34]

Here is my rule

rule "find_orig_client_ip - new"

has_field ("qdomain")
let orig_client_ip = slookup("5d7f8e434980dd02c2fffb34", "qdomain", "packetbeat_dns_question_name", ["packetbeat_client_ip"], "180", "desc");
set_field("packetbeat_client_ip", to_string(orig_client_ip));

I am not able to get the proper results. My queries are -

I am attaching this pipeline to DNS RPZ stream [5b9e7dfdc4445a03714dfd72] so per slookup help
Remote stream => 5d7f8e434980dd02c2fffb34
srcField => qdomain
dstField => packetbeat_dns_question_name
rtnField => packetbeat_client_ip

Please help

blason R

you might want to get in contact with the creator of the slookup plugin if that works like you try to use it?

Agree!! and let me do that.

BTW is there any alternative method that you are aware of to achieve the same in Graylog?

no known option - at least for me.

You could loop back into graylog with a python or powershell micro-service.
I do it with AD lookups, nothing says you couldn’t do it by circling back to graylog.

Python (bottle is super easy) listening at http://some_server/dns_loopback?client=XYZ
Python does a curl search on graylog and spits out the result.

Set up a lookup table using the url - and carefully monitor performance and watch for loops. :slight_smile:

1 Like

nah that is not gonna work for me since

  1. I am not python pro
  2. The DNS query rate is pretty high and not sure if that would sustatin the load.

You could do it in powershell as well.
I think a custom solution is the only thing that’s going to do what you’re asking. It seems like an extremely odd request - though. What, specifically, are you trying to do - maybe there is a better option, logically? I really don’t follow your architecture.

You want the original Client IP from a DNS query to a sinkhole server, right? Is it not in the DNS logs on the sinkhole server? It should be.

Are you trying to find the DNS logs that are querying for invalid domains or only valid ones? Look at the DNS respones in the same stream.

Does your lookup logic break if two different machines query the same domain (internal.corp or whatever?) I mean, you’re trying to match a DNS query to another log source - using the queried domain as your unique key - that seems easily broken.

What is the end goal of this? Maybe draw me a picture, I’m a manager after all - I need crayons and glitter.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.