Hello, my company is running Bro 2.5 on 300 CentOS 7 servers. How would we blacklist a set of domains that are being logged to dns.log?
Have about 50 domains we want to ignore. Does this require any kind of re-compile of bro? Does bro require a restart afterwards? Documentation would be good (have searched around for this, no luck)
There appears to be a …postbody/postbody.bro but think that is for http. I see a “filter_dns_ssl_conn” directory on our serves, but files in it don’t contain much.
Any way, if you could advise, we would appreciate it.
The logging framework can be used to accomplish this. This blog post
has a few examples that are similar to what you are trying to do
https://zeek.org/2012/02/02/filtering-logs-with-bro/
the gist of it is that the path_func option can be used to split a log
into different chunks, and the pred option can be used to filter
things completely.
The tricky part with dns is queries don't exactly match domains, they
are prefixes.. so there's usually a little pre-processing that needs
to be done.
Something like this could work
option ignore_domains: set[string] = {
"whatever.com",
"somethingelse.com",
"some.subdomain.bigger.com",
};
global ignore_domains_regex: pattern = /MATCH_NOTHING/;
event zeek_init()
{
# Magic from scripts/base/utils/site.zeek
ignore_domains_regex = set_to_regex(ignore_domains, "(^\\.?|\\.)(~~)$");
Log::remove_default_filter(DNS::LOG);
Log::add_filter(DNS::LOG, [
$name = "dns_split",
$path_func(id: Log::ID, path: string, rec: DNS::Info) = {
return (ignore_domains_regex in rec$query ? "dns_noise" : "dns");
}
]);
}
that'll split off the dns log into dns and dns_noise.. can easily
change that to just be a pred after confiriming that the records in
dns_noise are not required.