forked from philhagen/sof-elk
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path8502-postprocess-freq_analysis_zeek_dns.conf
58 lines (58 loc) · 1.98 KB
/
8502-postprocess-freq_analysis_zeek_dns.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Author: Justin Henderson
# Email: jhenderson@tekrefresh.comes
# Last Update: 5/10/2016
#
# This conf file is based on accepting logs for dns.log from Zeek systems
filter {
if [type] == "dns" {
# If Query exists run a frequency analysis against it. In order for this to work you must have
# freq.py and the corresponding frequency table in /opt/freq/. This is a huge boost to security
# and I highly recommend you set this up. Example, if a frequency score less than 6 exists
# then there is a likelihood that something malicious is happening.
#
# For higher accuracy, please generate your own frequency tables. For questions on setup,
# please refer to https://github.com/SMAPPER
if [query_type_name] == "A" or [query_type_name] == "AAAA" {
if [parent_domain] and [parent_domain_length] > 5 {
rest {
request => {
url => "http://localhost:10004"
method => "get"
params => {
"cmd" => "measure1"
"tgt" => "%{parent_domain}"
}
}
sprintf => true
target => "parent_domain_frequency_score"
}
if [parent_domain_frequency_score] {
mutate {
convert => { "parent_domain_frequency_score" => "float" }
add_field => { "frequency_scores" => "%{parent_domain_frequency_score}" }
}
}
}
if [sub_domain] and [sub_domain_length] > 5 {
rest {
request => {
url => "http://localhost:10004"
method => "get"
params => {
"cmd" => "measure1"
"tgt" => "%{sub_domain}"
}
}
sprintf => true
target => "sub_domain_frequency_score"
}
if [sub_domain_frequency_score] {
mutate {
convert => { "sub_domain_frequency_score" => "float" }
add_field => { "frequency_scores" => "%{sub_domain_frequency_score}" }
}
}
}
}
}
}