Only process zeek.dns.tld if dns.query.name contains a dot #734

https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/734
2025-12-07 09:42:46 +01:00 · 2020-05-19 10:08:30 -04:00
parent fc4afe6767
commit 29420da565
1 changed files with 1 additions and 1 deletions
--- a/salt/elasticsearch/files/ingest/zeek.dns
+++ b/salt/elasticsearch/files/ingest/zeek.dns
@@ -23,7 +23,7 @@
    { "rename": 	{ "field": "message2.TTLs", 		"target_field": "dns.ttls",			"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.rejected", 	"target_field": "dns.query.rejected",		"ignore_missing": true 	} },
    { "script": 	{ "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()",	"ignore_failure": true  } },
-    { "pipeline":       { "if": "ctx.dns.query.type_name != 'NB' && ctx.dns.query.type_name != 'TKEY' && ctx.dns.query.type_name != 'NBSTAT' && ctx.dns.query.type_name != 'PTR'", "name": "zeek.dns.tld"} },
+    { "pipeline": { "if": "ctx.dns.query.name.contains('.')", "name": "zeek.dns.tld"} },
    { "pipeline":       { "name": "zeek.common"											} }
  ]
 }