Reply

DNS Firewall hits by RP zone

Anna
Techie
Posts: 8
4124     1

This dashbaord shows which RP zone has been hit.  Useful to justify and tune the RPZ feeds used. 

 

DNS Firewall hits by RP zone.png

 

<form>

  <label> RPZ hits by RP zone</label>

  <fieldset submitButton="false">

    <input type="time" token="field1">

      <label></label>

      <default>

        <earliest>0</earliest>

        <latest></latest>

      </default>

    </input>

  </fieldset>

  <row>

    <panel>

      <table>

        <search>

          <query>index=ib_dns_summary report=si_dns_rpz_hits

| lookup dns_viewkey_displayname_lookup VIEW output display_name |eval DNS_VIEW =if(isnull(display_name), "NULL",display_name)

| eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)

| eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)

| eval rp_zone=substr(RPZ_QNAME, len(DOMAIN_NAME)+2 )

| eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)

| where MITIGATION_ACTION != "ER"

| stats sum(COUNT) as QCOUNT by TOTAL_COUNT, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA, rp_zone

| stats sum(TOTAL_COUNT) as TOTAL_COUNT, sum(QCOUNT) as QCOUNT by MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA, rp_zone

| sort -QCOUNT

| eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX", "Block (No Such Domain)", MITIGATION_ACTION == "ND", "Block (No Data)", MITIGATION_ACTION == "SB", "Substitute", MITIGATION_ACTION == "A1", "Substitute (A)", MITIGATION_ACTION == "A4", "Substitute (AAAA)", MITIGATION_ACTION == "AA", "Substitute (A/AAAA)", MITIGATION_ACTION == "DN", "Substitute (Domain Name)", MITIGATION_ACTION == "ER", "Error")

| eval RPZ_SEVERITY=case(RPZ_SEVERITY == "4", "INFORMATIONAL", RPZ_SEVERITY == "6", "WARNING", RPZ_SEVERITY == "7", "MAJOR", RPZ_SEVERITY == "8", "CRITICAL", RPZ_SEVERITY == "", "")

| rename TOTAL_COUNT as "Total Rule Hits", RPZ_SEVERITY as "RPZ Severity", MITIGATION_ACTION as "Mitigation Action"

| table "rp_zone", "RPZ Severity", "Total Rule Hits", "Mitigation Action"</query>

          <earliest>$field1.earliest$</earliest>

          <latest>$field1.latest$</latest>

        </search>

        <option name="wrap">true</option>

        <option name="rowNumbers">false</option>

        <option name="dataOverlayMode">none</option>

        <option name="drilldown">cell</option>

        <option name="count">10</option>

      </table>

    </panel>

  </row>

</form>

Re: DNS Firewall hits by RP zone

SHayes
Techie
Posts: 1
4125     1

Thank you for the information on how to do this.  The question I have is we also use zones based on IP address and they are not parsing correctly when trying to do the DNS name resolution.   Is there anyway just to report based on the configured zones?

Re: DNS Firewall hits by RP zone

Anna
Techie
Posts: 8
4125     1

Yes this is an issue.  The data present when the block is by IP address is completely differnt.  I think I would solve this by 1st crafiiting a report that only has IP blocked data and then look at the events and fields they contain. From that data how I could extract the RPZ domain name.  Once I had that I would see if some simple IF statements would allow the two report to be combined.  

 

In this case my customer did not have any IP based RPZ because they were using DNS Firewall in a internal network with "stolen" internet IP addresses. So any block by IP might block legitimate internal applicaiton traffic. 

Showing results for 
Search instead for 
Do you mean 

Recommended for You