Hi team,

I am trying to drop certain events on my AD server since I have packet beat installed and listening for DNS ports.

I somehow unable to get it working, and I really appreciate if someone can help me on this?

Here is what I am trying to do.

- type: dns

Configure the ports where to listen for DNS traffic. You can disable

the DNS protocol by commenting out the list of ports.

ports: [53]

processors:

• drop_event:
  when:
  contains:
  dns.question.etld_plus_one: "example.com"

Plus wanted to know how do I use AND/OR with the above processor? as I also need to drop the events when contains

in-addr.arpa.

TIA
Blason R

Hi @Blason

All the logic for the processors can be found here

Also it is difficult to read your configurations it is much better if you surround them with the code formatting button found at the top of the editor </>

And when you say it is not working additional information like, is it failing at startup? do you still see the events in the logs? etc is helpful otherwise it is very hard to know what is not working.

My bad working as in - as soon as the modified yml file is loaded service refused to start and its pretty sure due to misconfiguration.

And here are the codes in prPreformatted textoperly formatted manner -

- type: dns
ports: [53]
And here are my processessors

`processors:
     - drop_event:
          when:
               contains:
               dns.question.etld_plus_one: "example.com"`

If you look at the error messages it should point you to the lines, yml files are hard to debug, if you use an editor that does yml checking or an online yml checker like here that should help. In general the when and contains above looks ok to me but you may have bad yml / indentation there or elsewhere.

You can also post a few lines of the error and perhaps someone can help...

Nope I got it working thanks for the help; just keen to know on AND/OR opertors with processors. Can you help me with Syntax pls?

`processors:
   - drop_event:
        when:
                 contains:
                         dns.question.etld_plus_one: "example.com"`

OR

contains: dns.question.etld_plus_one: "in-addr.arpa"

Syntax is right here

or:
  - <condition1>
  - <condition2>
  - <condition3>
  ...

Hi there,

There is something wrong at YAML spacing hence I am not understanding the correct spaces to be used with OR or AND operators

e.g.

- drop_event:
    when:
       contains:
           dns.question.etld_plus_one: "example.com"
- drop_event:
    when:
       contains:
           dns.question.etld_plus_one: "in-addr.arpa

However I wanted to configure like this

- drop_event:
    when:
       contains:
           dns.question.etld_plus_one: "example.com"
or:
       contains:
           dns.question.etld_plus_one: "in-addr.arpa

Yes yml is very specific. I use 2 spaces (don't mix in tabs) , the - which are items in a list take 2 spaces + 2 spaces for the sub items so it should look like this. I just made this work so it should work specifically how I have it laid out.

- type: dns
  # Configure the ports where to listen for DNS traffic. You can disable
  # the DNS protocol by commenting out the list of ports.
  ports: [53]
  processors:
  - drop_event:
      when:
        or:
          - contains:
              dns.question.etld_plus_one: "yahoo.com"        
          - contains:
              dns.question.etld_plus_one: "google.com"

EDIT : Removed 2nd example as the syntax was not correct, my error.

Awesome!! Thanks man.

Really appreciate your quick response.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.