The Detect Long DNS TXT Record Response does not show anything:
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `ctime(firstTime)` | `ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type" "Answer Length" Count "First Time" "Last Time"
Seems like all the Network_Resolution datamodel message_type and answers are unknown:
answer record_type message_type count unknown TXT unknown 44058 unknown TXT unknown 25818 unknown TXT unknown 22868 unknown TXT unknown 17916 unknown TXT unknown 16092 unknown TXT unknown 16087 unknown TXT unknown 8159
I cut out the src and dest, but as you can see I would get nothing since all the message_type's are unknown and the search is looking for responses. I think every bro DNS log is both a query and a response if the DNS server responds to the query.
Do I need to do something special to get the message type of response and the data in the answers? I know that there is data in the answers field for the index=bro sourcetype=bro_dns:
_time query qtype_name answers rcode_name tag vendor 28:53.2 10.231.36.73.imwyyj2pluwatbkhz2yqgkzte3fhckp.r.mail-abuse.com TXT TXT 143 Mail from 126.96.36.199 blocked using Trend Micro Email Reputation database. Please see <http://www.mail-abuse.com/cgi-bin/lookup?\\188.8.131.52> NOERROR dns,network,resolution Bro
Anyone else using Bro to get DNS into Splunk?