Instantly share code, notes, and snippets.

Embed
What would you like to do?
pi-hole / dnsmasq pipeline rules to use with graylog pipeline rules
rule "dnsmasq clean message"
when
has_field("programname") AND contains(to_string($message.programname), "dnsmasq")
then
let m = regex("^.+: (.+)$", to_string($message.message));
let clean_message = m["0"];
// Set a better message field without the prefix clutter.
set_field("message", clean_message);
end
rule "dnsmasq pihole list"
when
has_field("application_name") AND contains(to_string($message.application_name), "pihole")
then
let message_field = to_string($message.message);
// pihole GROK Pattern neeed to be present!
// %{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\[%{POSINT:procid}\]: %{NOTSPACE:query_list} %{NOTSPACE:query_domain} is %{NOTSPACE:query_answer}
let action = grok(pattern: "%{PIHOLE}", value: message_field, only_named_captures: true);
set_fields(action);
set_field("pipeline", "dnsmasq pihole list");
end
rule "dnsmasq split"
when
has_field("application_name") AND contains(to_string($message.application_name), "pihole")
then
let message_field = to_string($message.message);
// DNSMASQ GROK Pattern neeed to be present!
// %{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\[%{POSINT:procid}\]: %{WORD:query_action}(?:\[%{WORD:query_type}\]|%{SPACE}) %{NOTSPACE:query_domain} (?:from %{NOTSPACE:query_source}|is %{NOTSPACE:query_answer}|to %{NOTSPACE:query_target})
let action = grok(pattern: "%{DNSMASQ}", value: message_field, only_named_captures: true);
set_fields(action);
set_field("pipeline", "dnsmasq split");
end
rule "threatintel (2) inflate"
when
to_bool($message.query_answer_threat_indicated) OR to_bool($message.query_domain_threat_indicated)
then
set_field("threat_indicated", true);
// set debug mark
set_field("pipeline", "threatintel (2)" );
end
rule "threatintel (dnsmasq)"
when
has_field("query_answer") OR has_field("query_domain")
then
// Read the README!!
// https://github.com/Graylog2/graylog-plugin-threatintel
// first look up the IP that is in query_answer
let query_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "query_answer");
set_fields(query_answer_intel);
// look up DNS Requested Domain or Domain that is in response
let query_domain_intel = threat_intel_lookup_domain(to_string($message.query_domain), "query_domain");
set_fields(query_domain_intel);
let whois_intel = whois_lookup_ip(to_string($message.query_answer), "query_answer");
set_fields(whois_intel);
let intel = otx_lookup_ip(to_string($message.query_answer));
let intel = otx_lookup_domain(to_string($message.query_domain));
set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);
// set debug mark
set_field("pipeline", "threatintel (1)" );
end
@gitty8

This comment has been minimized.

Copy link

gitty8 commented Apr 17, 2017

https://jalogisch.de/2017/der-eigene-dns-resolver-zuhause/

What rule are you using at Stage -9 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment