Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to tune search for detection of DNS tunnels rule

yawdeals
New Member
‎04-21-2020 10:03 AM

I need help on how I can tune the search below. It creates too much noise. I will like to know what steps I can use to tune or if there is better SPL available that can be used.

| tstats summariesonly=t dc("DNS.query") as count  from datamodel=Network_Resolution  where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*"   ) by "DNS.src","DNS.query" | rename "DNS.src" as src  "DNS.query" as message 
| eval length=len(message) | stats sum(length) as length by src 
| append [ tstats summariesonly=t dc("DNS.answer") as count  from datamodel=Network_Resolution  where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*"   ) by "DNS.src","DNS.answer" 
| rename "DNS.src" as src  "DNS.answer" as message 
| eval message=if(message=="unknown","", message) 
| eval length=len(message) 
| stats sum(length) as length by src ] 
| stats sum(length) as length by src | where length > 10000
Labels (1)
Labels
0 Karma
Reply

PavelP
Motivator
‎04-21-2020 11:06 AM

Hello @yawdeals ,

I'm not sure you can detect DNS tunneling using such simple method. What about to do it right?: https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022

0 Karma
Reply

yawdeals
New Member
‎04-23-2020 07:21 AM

I read the document and will like to know if there is an SPL that i can use as a starting point?

0 Karma
Reply

jfcshunter
Explorer
‎06-29-2021 07:30 AM

For those looking into this:

https://docs.splunksecurityessentials.com/content-detail/detection_of_dns_tunnels/

Tags (3)
0 Karma
Reply

TomJ-AFK
Loves-to-Learn
‎01-27-2022 04:07 AM

This is showing as 404 now, do we know where the resource might be? I'm putting together a query for tunneling so any hints would be useful!

0 Karma
Reply

jfcshunter
Explorer
‎02-09-2022 06:26 AM

https://docs.splunksecurityessentials.com/content-detail/showcase_huge_volume_dns_requests/

 

Now is the updated DNS tunnelling article

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...