Splunk Enterprise Security

Can you help me a problem I'm having with BRO's DNS logs and Correlation Searches?

bkirk
Path Finder

The Detect Long DNS TXT Record Response does not show anything:

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type |  `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `ctime(firstTime)` | `ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type"  "Answer Length" Count "First Time" "Last Time"

Seems like all the Network_Resolution datamodel message_type and answers are unknown:

answer  record_type message_type    count
unknown TXT unknown 44058
unknown TXT unknown 25818
unknown TXT unknown 22868
unknown TXT unknown 17916
unknown TXT unknown 16092
unknown TXT unknown 16087
unknown TXT unknown 8159

I cut out the src and dest, but as you can see I would get nothing since all the message_type's are unknown and the search is looking for responses. I think every bro DNS log is both a query and a response if the DNS server responds to the query.

Do I need to do something special to get the message type of response and the data in the answers? I know that there is data in the answers field for the index=bro sourcetype=bro_dns:

_time   query   qtype_name  answers rcode_name  tag vendor
28:53.2 10.231.36.73.imwyyj2pluwatbkhz2yqgkzte3fhckp.r.mail-abuse.com   TXT TXT 143 Mail from 73.36.231.10 blocked using Trend Micro Email Reputation database. Please see <http://www.mail-abuse.com/cgi-bin/lookup?\\73.36.231.10>    NOERROR dns,network,resolution  Bro

Anyone else using Bro to get DNS into Splunk?

Thank you,
Brian

0 Karma
1 Solution
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...