jalogisch/dnsmasq_clean_message

## dnsmasq_clean_message
rule "dnsmasq clean message"
when
     has_field("programname") AND contains(to_string($message.programname), "dnsmasq")
then
   let m = regex("^.+: (.+)$", to_string($message.message));
   let clean_message = m["0"];
  // Set a better message field without the prefix clutter.
  set_field("message", clean_message);
end

## dnsmasq_pihole_list
rule "dnsmasq pihole list"
when
    has_field("application_name") AND contains(to_string($message.application_name), "pihole")
then
 let message_field = to_string($message.message);

 // pihole GROK Pattern neeed to be present!
 // %{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\[%{POSINT:procid}\]: %{NOTSPACE:query_list} %{NOTSPACE:query_domain} is %{NOTSPACE:query_answer}

 let action = grok(pattern: "%{PIHOLE}", value: message_field, only_named_captures: true);
 set_fields(action);
 set_field("pipeline", "dnsmasq pihole list");

end

## dnsmasq_split
rule "dnsmasq split"
when
    has_field("application_name") AND contains(to_string($message.application_name), "pihole")
then
 let message_field = to_string($message.message);

 // DNSMASQ GROK Pattern neeed to be present!
 // %{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\[%{POSINT:procid}\]: %{WORD:query_action}(?:\[%{WORD:query_type}\]|%{SPACE}) %{NOTSPACE:query_domain} (?:from %{NOTSPACE:query_source}|is %{NOTSPACE:query_answer}|to %{NOTSPACE:query_target})


 let action = grok(pattern: "%{DNSMASQ}", value: message_field, only_named_captures: true);
 set_fields(action);
 set_field("pipeline", "dnsmasq split");

end

## threatintel_(2)_inflate
rule "threatintel (2) inflate"
when
  to_bool($message.query_answer_threat_indicated) OR to_bool($message.query_domain_threat_indicated)
then
  set_field("threat_indicated", true);

  // set debug mark
  set_field("pipeline", "threatintel (2)" );
end

## threatintel_(dnsmasq)
rule "threatintel (dnsmasq)"
when
    has_field("query_answer") OR has_field("query_domain")
then

  // Read the README!!
  // https://github.com/Graylog2/graylog-plugin-threatintel

  // first look up the IP that is in query_answer
  let query_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "query_answer");
  set_fields(query_answer_intel);

  // look up DNS Requested Domain or Domain that is in response
  let query_domain_intel = threat_intel_lookup_domain(to_string($message.query_domain), "query_domain");
  set_fields(query_domain_intel);

  let whois_intel = whois_lookup_ip(to_string($message.query_answer), "query_answer");
  set_fields(whois_intel);

  let intel = otx_lookup_ip(to_string($message.query_answer));
  let intel = otx_lookup_domain(to_string($message.query_domain));

  set_field("threat_indicated", intel.otx_threat_indicated);
  set_field("threat_ids", intel.otx_threat_ids);
  set_field("threat_names", intel.otx_threat_names);

  // set debug mark
  set_field("pipeline", "threatintel (1)" );
end
	rule "dnsmasq clean message"
	when
	has_field("programname") AND contains(to_string($message.programname), "dnsmasq")
	then
	let m = regex("^.+: (.+)$", to_string($message.message));
	let clean_message = m["0"];
	// Set a better message field without the prefix clutter.
	set_field("message", clean_message);
	end
	rule "dnsmasq pihole list"
	when
	has_field("application_name") AND contains(to_string($message.application_name), "pihole")
	then
	let message_field = to_string($message.message);

	// pihole GROK Pattern neeed to be present!
	// %{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\[%{POSINT:procid}\]: %{NOTSPACE:query_list} %{NOTSPACE:query_domain} is %{NOTSPACE:query_answer}

	let action = grok(pattern: "%{PIHOLE}", value: message_field, only_named_captures: true);
	set_fields(action);
	set_field("pipeline", "dnsmasq pihole list");

	end
	rule "dnsmasq split"
	when
	has_field("application_name") AND contains(to_string($message.application_name), "pihole")
	then
	let message_field = to_string($message.message);

	// DNSMASQ GROK Pattern neeed to be present!
	// %{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\[%{POSINT:procid}\]: %{WORD:query_action}(?:\[%{WORD:query_type}\]\|%{SPACE}) %{NOTSPACE:query_domain} (?:from %{NOTSPACE:query_source}\|is %{NOTSPACE:query_answer}\|to %{NOTSPACE:query_target})


	let action = grok(pattern: "%{DNSMASQ}", value: message_field, only_named_captures: true);
	set_fields(action);
	set_field("pipeline", "dnsmasq split");

	end
	rule "threatintel (2) inflate"
	when
	to_bool($message.query_answer_threat_indicated) OR to_bool($message.query_domain_threat_indicated)
	then
	set_field("threat_indicated", true);

	// set debug mark
	set_field("pipeline", "threatintel (2)" );
	end
	rule "threatintel (dnsmasq)"
	when
	has_field("query_answer") OR has_field("query_domain")
	then

	// Read the README!!
	// https://github.com/Graylog2/graylog-plugin-threatintel

	// first look up the IP that is in query_answer
	let query_answer_intel = threat_intel_lookup_ip(to_string($message.query_answer), "query_answer");
	set_fields(query_answer_intel);

	// look up DNS Requested Domain or Domain that is in response
	let query_domain_intel = threat_intel_lookup_domain(to_string($message.query_domain), "query_domain");
	set_fields(query_domain_intel);

	let whois_intel = whois_lookup_ip(to_string($message.query_answer), "query_answer");
	set_fields(whois_intel);

	let intel = otx_lookup_ip(to_string($message.query_answer));
	let intel = otx_lookup_domain(to_string($message.query_domain));

	set_field("threat_indicated", intel.otx_threat_indicated);
	set_field("threat_ids", intel.otx_threat_ids);
	set_field("threat_names", intel.otx_threat_names);

	// set debug mark
	set_field("pipeline", "threatintel (1)" );
	end