Splunk Enterprise Security

Can you help me a problem I'm having with BRO's DNS logs and Correlation Searches?

Path Finder

The Detect Long DNS TXT Record Response does not show anything:

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type |  `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `ctime(firstTime)` | `ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type"  "Answer Length" Count "First Time" "Last Time"

Seems like all the Network_Resolution datamodel message_type and answers are unknown:

answer  record_type message_type    count
unknown TXT unknown 44058
unknown TXT unknown 25818
unknown TXT unknown 22868
unknown TXT unknown 17916
unknown TXT unknown 16092
unknown TXT unknown 16087
unknown TXT unknown 8159

I cut out the src and dest, but as you can see I would get nothing since all the message_type's are unknown and the search is looking for responses. I think every bro DNS log is both a query and a response if the DNS server responds to the query.

Do I need to do something special to get the message type of response and the data in the answers? I know that there is data in the answers field for the index=bro sourcetype=bro_dns:

_time   query   qtype_name  answers rcode_name  tag vendor
28:53.2   TXT TXT 143 Mail from blocked using Trend Micro Email Reputation database. Please see <http://www.mail-abuse.com/cgi-bin/lookup?\\>    NOERROR dns,network,resolution  Bro

Anyone else using Bro to get DNS into Splunk?

Thank you,

0 Karma
1 Solution

Path Finder
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...