Skip to content

Instantly share code, notes, and snippets.

@faststeak

faststeak/gist:5cf00f17cc1aeeb2c86fdc8392d44b4f

Last active November 3, 2017 18:45
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save faststeak/5cf00f17cc1aeeb2c86fdc8392d44b4f to your computer and use it in GitHub Desktop.
Save faststeak/5cf00f17cc1aeeb2c86fdc8392d44b4f to your computer and use it in GitHub Desktop.
Download ZIP
A nice DNS search for Splunk
Raw
gistfile1.txt
| tstats `summariesonly` count from datamodel=Network_Resolution.DNS where DNS.record_type="A*" NOT DNS.query="SomeHostNames*" NOT DNS.query="*.arpa" NOT DNS.query="_ldap*" NOT DNS.query="_gc*" NOT DNS.query="_kerberos*" by DNS.query DNS.src
| rename DNS.query as query DNS.src as src
| eval query_punct=query
| rex mode=sed field=query_punct "s/\w+//g"
| search NOT query_punct="--.-.----"
| `ut_shannon(query)`
| stats sum(ut_shannon) as ut_shannon_sum values(query) as query by src
| where ut_shannon_sum<1000
| sort - ut_shannon_sum
@faststeak
Copy link
Author

Requires URL Toolbox - https://splunkbase.splunk.com/app/2734/ and Network Resolution Datamodel

@faststeak
Copy link
Author

Averaging the ut_shannon score is also interesting.
If you have ES, do a lookup:
| lookup asset_lookup_by_str ip as src OUTPUT dns nt_host

@faststeak
Copy link
Author

index=dns NOT reply_code=NoError NOT query="somehosts*" NOT query=*.arpa NOT record_type=nimloc dest_ip!="224.0.0.252" NOT protocol_stack=ip:tcp:dns NOT query=_* | stats count values(query) as query values(reply_code) as reply_code by src_ip protocol_stack message_type dest_ip dest_port record_type | eval ip=lower(dest_ip)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment