I am attempting to blacklist DNS queries using nullQueue.
# Blacklist domains [msad:nt6:dns] TRANSFORMS-blacklistdomain01 = bl_subdom_domain01_com TRANSFORMS-blacklistdomain02 = bl_domain02_com
[bl_subdom_domain01_com] REGEX=query=subdom.domain01.com DEST_KEY=queue FORMAT=nullQueue [bl_domain02_com] REGEX=query=domain02.com DEST_KEY=queue FORMAT=nullQueue
This does not work! Is there something wrong with the syntax I've used?
Since you are dropping the file before indexing, your regex needs to match the syntax of the raw event data, not the formatted data.
So if your domain you want to drop is company.com, this will look something like this in the logs:
So you may want to have a regex like this:
None of this works, unfortunately. I wonder if I am editing the .conf files in the correct location.
In the splunk etc directory, there are two folders for DNS:
Is there a way to determine the right app directory for a given sourcetype?
etc/deployment-apps is only for apps that you are pushing out to ufs from a deployment server
so you need to be doing this in the etc/apps directory on your indexer or search head; for your question specifically that's indexer
the directory inside of /etc/apps doesn't matter as much, as long as it's in a local directory, since it's a configuration hierarchy (see btool)
dyude @geoffmx ,
Can you try this,
[msad:nt6:dns] TRANSFORMS-set= domain1,domain2
[domain1] REGEX = query\=subdom\.domain01\.com DEST_KEY = queue FORMAT = nullQueue [domain2] REGEX = query\=domain02\.com DEST_KEY = queue FORMAT = nullQueue
Llet me know if it works for you!
I'm not having any luck with this. The nullQueue method did not work. I've even tried blacklisting the domain in inputs.conf
[MSAD:NT6:DNS] disabled=false index=msad blacklist1 = query="domain01\.com"
Escaping the [.] character does not seem to have any effect.
Is your sourcetype of
msad:nt6:dns correct in props?
Here is what I set up yesterday:
me@local$ cat props.conf [WebViewIIS] TRANSFORMS-set = setnull_webview,setparsing_webview me@local$ cat transforms.conf [setnull_webview] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing_webview] REGEX = (?i)mycompany-domain DEST_KEY = queue FORMAT = indexQueue
You must escape the [.] character:
[bl_subdom_domain01_com] REGEX= query=subdom\.domain01\.com DEST_KEY=queue FORMAT=nullQueue [bl_domain02_com] REGEX= query=domain02\.com DEST_KEY=queue FORMAT=nullQueue
Hope it helps