# Original Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/13/2017

filter {
  if [type] == "bro_dns" or "dns" in [tags] {
    # Used for whois lookups - can create log loop
    if [query] =~ "^whois\." {
      drop { }
    }
    # REPLACE test.int with your internal domain
    if [query] and [query] !~ "\.test\.int$" {
      mutate {
        lowercase => [ "query" ]
      }
      if [query_type_name] != "NB" and [query_type_name] != "TKEY" and [query_type_name] != "NBSTAT" and [query_type_name] != "PTR" {
        tld {
          source => "query"
        }
        ruby {
          code => "event.set('query_length', event.get('query').length)"
        }
        mutate {
          rename => { "[SubLog][sessionid]" => "sub_session_id" }
          rename => { "[tld][domain]" => "highest_registered_domain" }
          rename => { "[tld][trd]" => "subdomain" }
          rename => { "[tld][tld]" => "top_level_domain" }
          rename => { "[tld][sld]" => "parent_domain" }
        }
        if [parent_domain] {
          ruby {
            code => "event.set('parent_domain_length', event.get('parent_domain').length)"
          }
        }
        if [subdomain] {
          ruby {
            code => "event.set('subdomain_length', event.get('subdomain').length)"
          }
        }
      }
    }
	mutate {
		#add_tag => [ "conf_file_8006"]
	}
  }
}