Splunk Enterprise Security

How to tune search for detection of DNS tunnels rule

yawdeals
New Member

I need help on how I can tune the search below. It creates too much noise. I will like to know what steps I can use to tune or if there is better SPL available that can be used.


| tstats summariesonly=t dc("DNS.query") as count  from datamodel=Network_Resolution  where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*"   ) by "DNS.src","DNS.query" | rename "DNS.src" as src  "DNS.query" as message 
| eval length=len(message) | stats sum(length) as length by src 
| append [ tstats summariesonly=t dc("DNS.answer") as count  from datamodel=Network_Resolution  where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*"   ) by "DNS.src","DNS.answer" 
| rename "DNS.src" as src  "DNS.answer" as message 
| eval message=if(message=="unknown","", message) 
| eval length=len(message) 
| stats sum(length) as length by src ] 
| stats sum(length) as length by src | where length > 10000
Labels (1)
0 Karma

PavelP
Motivator

Hello @yawdeals ,

I'm not sure you can detect DNS tunneling using such simple method. What about to do it right?: https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022

0 Karma

yawdeals
New Member

I read the document and will like to know if there is an SPL that i can use as a starting point?

0 Karma

jfcshunter
Explorer
0 Karma

TomJ-AFK
Loves-to-Learn

This is showing as 404 now, do we know where the resource might be? I'm putting together a query for tunneling so any hints would be useful!

0 Karma

jfcshunter
Explorer
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...