Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
pi-hole / dnsmasq pipeline rules to use with graylog pipeline rules
rule "dnsmasq clean message"
when
has_field("programname") AND contains(to_string($message.programname), "dnsmasq")
then
let m = regex("^.+: (.+)$", to_string($message.message));
let clean_message = m["0"];
// Set a better message field without the prefix clutter.
set_field("message", clean_message);
end
rule "dnsmasq pihole list"
when
has_field("application_name") AND contains(to_string($message.application_name), "pihole")
then
let message_field = to_string($message.message);
// pihole GROK Pattern neeed to be present!
// %{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\[%{POSINT:procid}\]: %{NOTSPACE:query_list} %{NOTSPACE:query_domain} is %{NOTSPACE:query_answer}
let action = grok(pattern: "%{PIHOLE}", value: message_field, only_named_captures: true);
set_fields(action);
set_field("pipeline", "dnsmasq pihole list");
end
rule "dnsmasq split"
when
has_field("application_name") AND contains(to_string($message.application_name), "pihole")
then
let message_field = to_string($message.message);
// DNSMASQ GROK Pattern neeed to be present!
// %{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\[%{POSINT:procid}\]: %{WORD:query_action}(?:\[%{WORD:query_type}\]|%{SPACE}) %{NOTSPACE:query_domain} (?:from %{NOTSPACE:query_source}|is %{NOTSPACE:query_answer}|to %{NOTSPACE:query_target})
let action = grok(pattern: "%{DNSMASQ}", value: message_field, only_named_captures: true);
set_fields(action);
set_field("pipeline", "dnsmasq split");
end
rule "threatintel (2) inflate"
when
to_bool($message.query_answer_threat_indicated) OR to_bool($message.query_domain_threat_indicated)
then
set_field("threat_indicated", true);
// set debug mark
set_field("pipeline", "threatintel (2)" );
end
rule "threatintel (dnsmasq)"
when
has_field("query_answer") OR has_field("query_domain")
then
// Read the README!!
// https://github.com/Graylog2/graylog-plugin-threatintel
// first look up the IP that is in query_answer
let query_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "query_answer");
set_fields(query_answer_intel);
// look up DNS Requested Domain or Domain that is in response
let query_domain_intel = threat_intel_lookup_domain(to_string($message.query_domain), "query_domain");
set_fields(query_domain_intel);
let whois_intel = whois_lookup_ip(to_string($message.query_answer), "query_answer");
set_fields(whois_intel);
let intel = otx_lookup_ip(to_string($message.query_answer));
let intel = otx_lookup_domain(to_string($message.query_domain));
set_field("threat_indicated", intel.otx_threat_indicated);
set_field("threat_ids", intel.otx_threat_ids);
set_field("threat_names", intel.otx_threat_names);
// set debug mark
set_field("pipeline", "threatintel (1)" );
end
@gitty8

This comment has been minimized.

Copy link

gitty8 commented Apr 17, 2017

https://jalogisch.de/2017/der-eigene-dns-resolver-zuhause/

What rule are you using at Stage -9 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.