From 7be70faab638737c02dbd26928573da92b4b80e1 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Nov 2025 10:49:37 -0600 Subject: [PATCH 1/7] format json --- salt/elasticsearch/files/ingest/suricata.dns | 133 ++++++++++++++++--- 1 file changed, 113 insertions(+), 20 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.dns b/salt/elasticsearch/files/ingest/suricata.dns index 3ef68f28b..e9fab994c 100644 --- a/salt/elasticsearch/files/ingest/suricata.dns +++ b/salt/elasticsearch/files/ingest/suricata.dns @@ -1,21 +1,114 @@ { - "description" : "suricata.dns", - "processors" : [ - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.type", "target_field": "dns.query.type", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.tx_id", "target_field": "dns.id", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.version", "target_field": "dns.version", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.rrname", "target_field": "dns.query.name", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.rrtype", "target_field": "dns.query.type_name", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.flags", "target_field": "dns.flags", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.qr", "target_field": "dns.qr", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.rd", "target_field": "dns.recursion.desired", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.ra", "target_field": "dns.recursion.available", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.rcode", "target_field": "dns.response.code_name", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.grouped.A", "target_field": "dns.answers.data", "ignore_missing": true } }, - { "rename": { "field": "message2.dns.grouped.CNAME", "target_field": "dns.answers.name", "ignore_missing": true } }, - { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } }, - { "pipeline": { "name": "common" } } - ] -} + "description": "suricata.dns", + "processors": [ + { + "rename": { + "field": "message2.proto", + "target_field": "network.transport", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.app_proto", + "target_field": "network.protocol", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.type", + "target_field": "dns.query.type", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.tx_id", + "target_field": "dns.id", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.version", + "target_field": "dns.version", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.rrname", + "target_field": "dns.query.name", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.rrtype", + "target_field": "dns.query.type_name", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.flags", + "target_field": "dns.flags", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.qr", + "target_field": "dns.qr", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.rd", + "target_field": "dns.recursion.desired", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.ra", + "target_field": "dns.recursion.available", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.rcode", + "target_field": "dns.response.code_name", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.grouped.A", + "target_field": "dns.answers.data", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.grouped.CNAME", + "target_field": "dns.answers.name", + "ignore_missing": true + } + }, + { + "pipeline": { + "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", + "name": "dns.tld" + } + }, + { + "pipeline": { + "name": "common" + } + } + ] +} \ No newline at end of file From e782266caa16da0dbc9b31a42e3add5bb8e6c84d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Nov 2025 19:21:31 -0600 Subject: [PATCH 2/7] suricata 8 dns v3 --- salt/elasticsearch/files/ingest/suricata.dns | 22 +++++ .../elasticsearch/files/ingest/suricata.dnsv3 | 88 +++++++++++++++++++ salt/elasticsearch/files/ingest/suricata.tld | 45 ++++++++++ 3 files changed, 155 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/suricata.dnsv3 create mode 100644 salt/elasticsearch/files/ingest/suricata.tld diff --git a/salt/elasticsearch/files/ingest/suricata.dns b/salt/elasticsearch/files/ingest/suricata.dns index e9fab994c..94ae5f73b 100644 --- a/salt/elasticsearch/files/ingest/suricata.dns +++ b/salt/elasticsearch/files/ingest/suricata.dns @@ -25,6 +25,13 @@ { "rename": { "field": "message2.dns.tx_id", + "target_field": "dns.tx_id", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.id", "target_field": "dns.id", "ignore_missing": true } @@ -36,6 +43,14 @@ "ignore_missing": true } }, + { + "pipeline": { + "name": "suricata.dnsv3", + "ignore_missing_pipeline": true, + "if": "ctx?.dns?.version != null && ctx?.dns?.version == 3", + "ignore_failure": true + } + }, { "rename": { "field": "message2.dns.rrname", @@ -78,6 +93,13 @@ "ignore_missing": true } }, + { + "rename": { + "field": "message2.dns.opcode", + "target_field": "dns.opcode", + "ignore_missing": true + } + }, { "rename": { "field": "message2.dns.rcode", diff --git a/salt/elasticsearch/files/ingest/suricata.dnsv3 b/salt/elasticsearch/files/ingest/suricata.dnsv3 new file mode 100644 index 000000000..02b7f94ed --- /dev/null +++ b/salt/elasticsearch/files/ingest/suricata.dnsv3 @@ -0,0 +1,88 @@ +{ + "processors": [ + { + "rename": { + "field": "message2.dns.queries", + "target_field": "dns.queries", + "ignore_missing": true, + "ignore_failure": true + } + }, + { + "script": { + "source": "if (ctx?.dns?.queries != null && ctx?.dns?.queries.length > 0) {\n if (ctx.dns == null) {\n ctx.dns = new HashMap();\n }\n if (ctx.dns.query == null) {\n ctx.dns.query = new HashMap();\n }\n ctx.dns.query.name = ctx?.dns?.queries[0].rrname;\n}" + } + }, + { + "script": { + "source": "if (ctx?.dns?.queries != null && ctx?.dns?.queries.length > 0) {\n if (ctx.dns == null) {\n ctx.dns = new HashMap();\n }\n if (ctx.dns.query == null) {\n ctx.dns.query = new HashMap();\n }\n ctx.dns.query.type_name = ctx?.dns?.queries[0].rrtype;\n}" + } + }, + { + "foreach": { + "field": "dns.queries", + "processor": { + "rename": { + "field": "_ingest._value.rrname", + "target_field": "_ingest._value.name", + "ignore_missing": true + } + }, + "ignore_failure": true + } + }, + { + "foreach": { + "field": "dns.queries", + "processor": { + "rename": { + "field": "_ingest._value.rrtype", + "target_field": "_ingest._value.type_name", + "ignore_missing": true + } + }, + "ignore_failure": true + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.top_level_domain = q.name.substring(q.name.lastIndexOf('.') + 1);\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.query_without_tld = q.name.substring(0, q.name.lastIndexOf('.'));\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.parent_domain = q.query_without_tld.substring(q.query_without_tld.lastIndexOf('.') + 1);\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.subdomain = q.query_without_tld.substring(0, q.query_without_tld.lastIndexOf('.'));\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null && q.top_level_domain != null) {\n q.highest_registered_domain = q.parent_domain + \".\" + q.top_level_domain;\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.subdomain != null) {\n q.subdomain_length = q.subdomain.length();\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null) {\n q.parent_domain_length = q.parent_domain.length();\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n q.remove('query_without_tld');\n }\n}" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.tld b/salt/elasticsearch/files/ingest/suricata.tld new file mode 100644 index 000000000..f87a82d3d --- /dev/null +++ b/salt/elasticsearch/files/ingest/suricata.tld @@ -0,0 +1,45 @@ +{ + "description": "Duplicate of dns.tld for use within suricata.dns events that use dns.queries[] inplace of dns.query.x ", + "processors": [ + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.top_level_domain = q.name.substring(q.name.lastIndexOf('.') + 1);\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.query_without_tld = q.name.substring(0, q.name.lastIndexOf('.'));\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.parent_domain = q.query_without_tld.substring(q.query_without_tld.lastIndexOf('.') + 1);\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.subdomain = q.query_without_tld.substring(0, q.query_without_tld.lastIndexOf('.'));\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null && q.top_level_domain != null) {\n q.highest_registered_domain = q.parent_domain + \".\" + q.top_level_domain;\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.subdomain != null) {\n q.subdomain_length = q.subdomain.length();\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null) {\n q.parent_domain_length = q.parent_domain.length();\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n q.remove('query_without_tld');\n }\n}" + } + } + ] +} \ No newline at end of file From 431e0b0780602a2f2dfddbde3b292ae8f2a5750c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Nov 2025 19:29:50 -0600 Subject: [PATCH 3/7] format suricata.alert json --- .../elasticsearch/files/ingest/suricata.alert | 84 ++++++++++++++++--- 1 file changed, 71 insertions(+), 13 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 3d0241e48..a6ce3d3a0 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -1,15 +1,73 @@ { - "description" : "suricata.alert", - "processors" : [ - { "set": { "if": "ctx.event?.imported != true", "field": "_index", "value": "logs-suricata.alerts-so" } }, - { "set": { "field": "tags","value": "alert" }}, - { "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } }, - { "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } }, - { "rename":{ "field": "rule.ref", "target_field": "rule.version", "ignore_failure": true } }, - { "rename":{ "field": "rule.signature_id", "target_field": "rule.uuid", "ignore_failure": true } }, - { "rename":{ "field": "rule.signature_id", "target_field": "rule.signature", "ignore_failure": true } }, - { "rename":{ "field": "message2.payload_printable", "target_field": "network.data.decoded", "ignore_failure": true } }, - { "dissect": { "field": "rule.rule", "pattern": "%{?prefix}content:\"%{dns.query_name}\"%{?remainder}", "ignore_missing": true, "ignore_failure": true } }, - { "pipeline": { "name": "common.nids" } } - ] + "description": "suricata.alert", + "processors": [ + { + "set": { + "if": "ctx.event?.imported != true", + "field": "_index", + "value": "logs-suricata.alerts-so" + } + }, + { + "set": { + "field": "tags", + "value": "alert" + } + }, + { + "rename": { + "field": "message2.alert", + "target_field": "rule", + "ignore_failure": true + } + }, + { + "rename": { + "field": "rule.signature", + "target_field": "rule.name", + "ignore_failure": true + } + }, + { + "rename": { + "field": "rule.ref", + "target_field": "rule.version", + "ignore_failure": true + } + }, + { + "rename": { + "field": "rule.signature_id", + "target_field": "rule.uuid", + "ignore_failure": true + } + }, + { + "rename": { + "field": "rule.signature_id", + "target_field": "rule.signature", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.payload_printable", + "target_field": "network.data.decoded", + "ignore_failure": true + } + }, + { + "dissect": { + "field": "rule.rule", + "pattern": "%{?prefix}content:\"%{dns.query_name}\"%{?remainder}", + "ignore_missing": true, + "ignore_failure": true + } + }, + { + "pipeline": { + "name": "common.nids" + } + } + ] } \ No newline at end of file From da9717bc79dcbd3ae5deb91a6d00fde768e81144 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 08:15:40 -0600 Subject: [PATCH 4/7] don't attempt rename if field doesn't exist -- reducing pipeline stat errors --- salt/elasticsearch/files/ingest/suricata.alert | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index a6ce3d3a0..ca5bef437 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -18,6 +18,7 @@ "rename": { "field": "message2.alert", "target_field": "rule", + "ignore_missing": true, "ignore_failure": true } }, @@ -25,6 +26,7 @@ "rename": { "field": "rule.signature", "target_field": "rule.name", + "ignore_missing": true, "ignore_failure": true } }, @@ -32,6 +34,7 @@ "rename": { "field": "rule.ref", "target_field": "rule.version", + "ignore_missing": true, "ignore_failure": true } }, @@ -39,6 +42,7 @@ "rename": { "field": "rule.signature_id", "target_field": "rule.uuid", + "ignore_missing": true, "ignore_failure": true } }, @@ -46,6 +50,7 @@ "rename": { "field": "rule.signature_id", "target_field": "rule.signature", + "ignore_missing": true, "ignore_failure": true } }, @@ -53,6 +58,7 @@ "rename": { "field": "message2.payload_printable", "target_field": "network.data.decoded", + "ignore_missing": true, "ignore_failure": true } }, From 4314c79f85ae129906ed366d4501841fd5f7ad81 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 08:24:31 -0600 Subject: [PATCH 5/7] bump suricata dns logging version --- salt/suricata/suricata_mdengine.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/suricata_mdengine.yaml b/salt/suricata/suricata_mdengine.yaml index 1c3855501..8a0c502fc 100644 --- a/salt/suricata/suricata_mdengine.yaml +++ b/salt/suricata/suricata_mdengine.yaml @@ -29,7 +29,7 @@ suricata: #custom: [Accept-Encoding, Accept-Language, Authorization] # dump-all-headers: none - dns: - version: 2 + version: 3 enabled: "yes" #requests: "no" #responses: "no" From 1542b741336d3b2847f79bba89db987b89ddf3f4 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 09:24:58 -0600 Subject: [PATCH 6/7] move dns tld fields to its own pipeline --- .../elasticsearch/files/ingest/suricata.dnsv3 | 42 +++---------------- 1 file changed, 5 insertions(+), 37 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.dnsv3 b/salt/elasticsearch/files/ingest/suricata.dnsv3 index 02b7f94ed..0e804364b 100644 --- a/salt/elasticsearch/files/ingest/suricata.dnsv3 +++ b/salt/elasticsearch/files/ingest/suricata.dnsv3 @@ -45,43 +45,11 @@ } }, { - "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.top_level_domain = q.name.substring(q.name.lastIndexOf('.') + 1);\n }\n }\n}" - } - }, - { - "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.query_without_tld = q.name.substring(0, q.name.lastIndexOf('.'));\n }\n }\n}" - } - }, - { - "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.parent_domain = q.query_without_tld.substring(q.query_without_tld.lastIndexOf('.') + 1);\n }\n }\n}" - } - }, - { - "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.subdomain = q.query_without_tld.substring(0, q.query_without_tld.lastIndexOf('.'));\n }\n }\n}" - } - }, - { - "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null && q.top_level_domain != null) {\n q.highest_registered_domain = q.parent_domain + \".\" + q.top_level_domain;\n }\n }\n}" - } - }, - { - "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.subdomain != null) {\n q.subdomain_length = q.subdomain.length();\n }\n }\n}" - } - }, - { - "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null) {\n q.parent_domain_length = q.parent_domain.length();\n }\n }\n}" - } - }, - { - "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n q.remove('query_without_tld');\n }\n}" + "pipeline": { + "name": "suricata.tld", + "ignore_missing_pipeline": true, + "if": "ctx?.dns?.queries != null && ctx?.dns?.queries.length > 0", + "ignore_failure": true } } ] From 211bf7e77bddaf25b76cb256dad58d44fe9372ab Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 09:25:19 -0600 Subject: [PATCH 7/7] ignore errors on tld script --- salt/elasticsearch/files/ingest/suricata.tld | 25 +++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.tld b/salt/elasticsearch/files/ingest/suricata.tld index f87a82d3d..aa0d67e1e 100644 --- a/salt/elasticsearch/files/ingest/suricata.tld +++ b/salt/elasticsearch/files/ingest/suricata.tld @@ -1,44 +1,51 @@ { - "description": "Duplicate of dns.tld for use within suricata.dns events that use dns.queries[] inplace of dns.query.x ", "processors": [ { "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.top_level_domain = q.name.substring(q.name.lastIndexOf('.') + 1);\n }\n }\n}" + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.top_level_domain = q.name.substring(q.name.lastIndexOf('.') + 1);\n }\n }\n}", + "ignore_failure": true } }, { "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.query_without_tld = q.name.substring(0, q.name.lastIndexOf('.'));\n }\n }\n}" + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.query_without_tld = q.name.substring(0, q.name.lastIndexOf('.'));\n }\n }\n}", + "ignore_failure": true } }, { "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.parent_domain = q.query_without_tld.substring(q.query_without_tld.lastIndexOf('.') + 1);\n }\n }\n}" + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.parent_domain = q.query_without_tld.substring(q.query_without_tld.lastIndexOf('.') + 1);\n }\n }\n}", + "ignore_failure": true } }, { "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.subdomain = q.query_without_tld.substring(0, q.query_without_tld.lastIndexOf('.'));\n }\n }\n}" + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.subdomain = q.query_without_tld.substring(0, q.query_without_tld.lastIndexOf('.'));\n }\n }\n}", + "ignore_failure": true } }, { "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null && q.top_level_domain != null) {\n q.highest_registered_domain = q.parent_domain + \".\" + q.top_level_domain;\n }\n }\n}" + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null && q.top_level_domain != null) {\n q.highest_registered_domain = q.parent_domain + \".\" + q.top_level_domain;\n }\n }\n}", + "ignore_failure": true } }, { "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.subdomain != null) {\n q.subdomain_length = q.subdomain.length();\n }\n }\n}" + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.subdomain != null) {\n q.subdomain_length = q.subdomain.length();\n }\n }\n}", + "ignore_failure": true } }, { "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null) {\n q.parent_domain_length = q.parent_domain.length();\n }\n }\n}" + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null) {\n q.parent_domain_length = q.parent_domain.length();\n }\n }\n}", + "ignore_failure": true } }, { "script": { - "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n q.remove('query_without_tld');\n }\n}" + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n q.remove('query_without_tld');\n }\n}", + "ignore_failure": true } } ]