topic Re: Blacklisting DNS queries with nullQueue in Getting Data In

Blacklisting DNS queries with nullQueue

geoffmx — Tue, 06 Aug 2019 11:17:05 GMT

I am attempting to blacklist DNS queries using nullQueue.

props.conf

# Blacklist domains
[msad:nt6:dns]
TRANSFORMS-blacklistdomain01 = bl_subdom_domain01_com
TRANSFORMS-blacklistdomain02 = bl_domain02_com

transforms.conf

[bl_subdom_domain01_com]
REGEX=query=subdom.domain01.com
DEST_KEY=queue
FORMAT=nullQueue

[bl_domain02_com]
REGEX=query=domain02.com
DEST_KEY=queue
FORMAT=nullQueue

This does not work! Is there something wrong with the syntax I've used?

Re: Blacklisting DNS queries with nullQueue

jaime_ramirez — Tue, 06 Aug 2019 19:10:16 GMT

You must escape the [.] character:

[bl_subdom_domain01_com]
REGEX= query=subdom\.domain01\.com
DEST_KEY=queue
FORMAT=nullQueue

[bl_domain02_com]
REGEX= query=domain02\.com
DEST_KEY=queue
FORMAT=nullQueue

Hope it helps

Re: Blacklisting DNS queries with nullQueue

geoffmx — Thu, 22 Aug 2019 10:18:40 GMT

I'm not having any luck with this. The nullQueue method did not work. I've even tried blacklisting the domain in inputs.conf

[MSAD:NT6:DNS]
disabled=false
index=msad
blacklist1 = query="domain01\.com"

Escaping the [.] character does not seem to have any effect.

Re: Blacklisting DNS queries with nullQueue

vinod94 — Thu, 22 Aug 2019 17:46:36 GMT

dyude @geoffmx ,

Can you try this,

props.conf

[msad:nt6:dns]
TRANSFORMS-set= domain1,domain2

transforms.conf

[domain1]
REGEX = query\=subdom\.domain01\.com
DEST_KEY = queue
FORMAT = nullQueue

[domain2]
REGEX = query\=domain02\.com
DEST_KEY = queue
FORMAT = nullQueue

Llet me know if it works for you!

Re: Blacklisting DNS queries with nullQueue

nick405060 — Thu, 22 Aug 2019 18:43:58 GMT

Is your sourcetype of msad:nt6:dns correct in props?

Here is what I set up yesterday:

me@local$ cat props.conf
[WebViewIIS]
TRANSFORMS-set = setnull_webview,setparsing_webview
me@local$ cat transforms.conf
[setnull_webview]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing_webview]
REGEX = (?i)mycompany-domain
DEST_KEY = queue
FORMAT = indexQueue

Re: Blacklisting DNS queries with nullQueue

geoffmx — Fri, 23 Aug 2019 05:34:57 GMT

Yes, I believe the sourcetype is correct.

https://docs.splunk.com/Documentation/DCDNSAddOn/1.0.2/TA-WindowsDNS/Sourcetypes

Re: Blacklisting DNS queries with nullQueue

geoffmx — Wed, 30 Sep 2020 01:55:01 GMT

None of this works, unfortunately. I wonder if I am editing the .conf files in the correct location.

In the splunk etc directory, there are two folders for DNS:

$SPLUNK_HOME/etc/apps/TA-DNSServer-NT6/local, and
$SPLUNK_HOME/etc/deployment-apps/Splunk_TA_microsoft_dns/local

Is there a way to determine the right app directory for a given sourcetype?

Re: Blacklisting DNS queries with nullQueue

nick405060 — Fri, 23 Aug 2019 17:26:48 GMT

etc/deployment-apps is only for apps that you are pushing out to ufs from a deployment server

so you need to be doing this in the etc/apps directory on your indexer or search head; for your question specifically that's indexer

the directory inside of /etc/apps doesn't matter as much, as long as it's in a local directory, since it's a configuration hierarchy (see btool)

Re: Blacklisting DNS queries with nullQueue

jeremyhagand61 — Mon, 02 Sep 2019 02:47:17 GMT

Since you are dropping the file before indexing, your regex needs to match the syntax of the raw event data, not the formatted data.

So if your domain you want to drop is company.com, this will look something like this in the logs:

(3)company(2)com(0)

So you may want to have a regex like this:

\(\d\)company\(\d\)com