mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-14 05:02:52 +01:00
48 lines
1.4 KiB
Plaintext
48 lines
1.4 KiB
Plaintext
# Original Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Doug Burks
|
|
# Last Update: 5/13/2017
|
|
|
|
filter {
|
|
if [type] == "bro_dns" or "dns" in [tags] {
|
|
# Used for whois lookups - can create log loop
|
|
if [query] =~ "^whois\." {
|
|
drop { }
|
|
}
|
|
# REPLACE test.int with your internal domain
|
|
if [query] and [query] !~ "\.test\.int$" {
|
|
mutate {
|
|
lowercase => [ "query" ]
|
|
}
|
|
if [query_type_name] != "NB" and [query_type_name] != "TKEY" and [query_type_name] != "NBSTAT" and [query_type_name] != "PTR" {
|
|
tld {
|
|
source => "query"
|
|
}
|
|
ruby {
|
|
code => "event.set('query_length', event.get('query').length)"
|
|
}
|
|
mutate {
|
|
rename => { "[SubLog][sessionid]" => "sub_session_id" }
|
|
rename => { "[tld][domain]" => "highest_registered_domain" }
|
|
rename => { "[tld][trd]" => "subdomain" }
|
|
rename => { "[tld][tld]" => "top_level_domain" }
|
|
rename => { "[tld][sld]" => "parent_domain" }
|
|
}
|
|
if [parent_domain] {
|
|
ruby {
|
|
code => "event.set('parent_domain_length', event.get('parent_domain').length)"
|
|
}
|
|
}
|
|
if [subdomain] {
|
|
ruby {
|
|
code => "event.set('subdomain_length', event.get('subdomain').length)"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
mutate {
|
|
#add_tag => [ "conf_file_8006"]
|
|
}
|
|
}
|
|
}
|