Filter DNS queries by domains list

alex_h · June 18, 2018, 10:17am

Hello,

the setup I'm working with consists of:

machine A - where I'd like to install packetbeat
machine B - where elastsearch is listening

I have DNS queries forwarded to machine A.

I would like to filter the DNS traffic coming to machine A based on a list of domains; in other words, for every query, if the domain requested is in the list I would like packetbeat to forward the DNS request to elasticsearch and ignore/drop every query that does not request any of the domains in the list.

Is this feasible?

Edit: I apologize for the vague question, I know that events can be excluded via processors "drop_event" and applying conditions. However since I have a pretty big list (1 million record) I wonder how that could be done.

Thanks in advance,
Alex

adrisr · June 18, 2018, 3:09pm

Hi,

that is an interesting question.

Currently, we don't have anything in Beats that can handle this 1M values.

The recommendation is to use Logstash to filter the events, using the JDBC static filter or the Elasticsearch filter.

alex_h · June 18, 2018, 3:36pm

Hi Adrian,

thanks for getting back to me

I don't know if I understood correctly; here's my best guess:
I could run logstash on machine A to receive the traffic (netflow module?), apply a filter using the elasticsearch filter plugin (which fetches the 1M list from elastic) and then push the result to elasticsearch?

adrisr · June 19, 2018, 4:15am

From packetbeat you output all the DNS events to Logstash instead of Elasticsearch (logstash has the beats input plugin). Logstash does the filtering with any of the two filters and outputs to Elasticsearch.

system · July 17, 2018, 4:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.