Hello @PavelP
We created a regex that filters out DNS based on the order below (I'm talking about raw events):
dns_record_name src_ip dest_ip dest_port
rec_type=71\sssl_server_name=\S+\ssec_zone_ingress=\S+\sevent_subtype=1\sdns_record_name=\S+\s.+src_ip=(10.\d{1,3}.\d{1,3}.\d{1,3}|192.168.\d{1,3}.\d{1,3}|172.(1[6-9]|2[0-9]|3[0-1]).\d{1,3}.\d{1,3})\s[\s\S]?dest_ip=(10.\d{1,3}.\d{1,3}.\d{1,3}|192.168.\d{1,3}.\d{1,3}|172.(1[6-9]|2[0-9]|3[0-1]).\d{1,3}.\d{1,3})\s[\s\S]?(dest_port=53).+
After that the remaining DNS logs started to appear in order below, which we also covered with regex:
src_ip dest_port dns_record_name dest_port dest_ip
.src_ip=(10.\d{1,3}.\d{1,3}.\d{1,3}|192.168.\d{1,3}.\d{1,3}|172.(1[6-9]|2[0-9]|3[0-1]).\d{1,3}.\d{1,3})\s[\s\S]?(dns_record_name=\S+)\s[\s\S]?(dest_port=53)\s[\s\S]?dest_ip=(10.\d{1,3}.\d{1,3}.\d{1,3}|192.168.\d{1,3}.\d{1,3}|172.(1[6-9]|2[0-9]|3[0-1]).\d{1,3}.\d{1,3}).*
Now the DNS rules appear in order below, which requires yet another regex ...
dest_ip src_ip dest_port dns_record_name
Each time we filter out traffic, new order logs appear for DNS...
Regards,
Dawid
... View more