Filter DNS queries by domains list

Elastic Stack Beats
1

Hello,

the setup I'm working with consists of:

  • machine A - where I'd like to install packetbeat
  • machine B - where elastsearch is listening

I have DNS queries forwarded to machine A.

I would like to filter the DNS traffic coming to machine A based on a list of domains; in other words, for every query, if the domain requested is in the list I would like packetbeat to forward the DNS request to elasticsearch and ignore/drop every query that does not request any of the domains in the list.

Is this feasible?

Edit: I apologize for the vague question, I know that events can be excluded via processors "drop_event" and applying conditions. However since I have a pretty big list (1 million record) I wonder how that could be done.

Thanks in advance,
Alex

2

Hi,

that is an interesting question.

Currently, we don't have anything in Beats that can handle this 1M values.

The recommendation is to use Logstash to filter the events, using the JDBC static filter or the Elasticsearch filter.

3

Hi Adrian,

thanks for getting back to me :slight_smile:

I don't know if I understood correctly; here's my best guess:
I could run logstash on machine A to receive the traffic (netflow module?), apply a filter using the elasticsearch filter plugin (which fetches the 1M list from elastic) and then push the result to elasticsearch?

4

From packetbeat you output all the DNS events to Logstash instead of Elasticsearch (logstash has the beats input plugin). Logstash does the filtering with any of the two filters and outputs to Elasticsearch.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.