You might want to review the size and number of DNS packets being transmitted over your network when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Network resolution data
Example
You want to monitor your network for large DNS packets or an unusually high volume of DNS packets, both of which can be an early sign of data exfiltration.
NOTE: To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Stream DNS data. You can replace this source with any other network resolution data used in your organization.
- Run the following search:
eventtype="stream_dns" message_type="Query"
| mvexpand query
| eval queryLength=len(query)
| stats count BY queryLength, src
| sort -queryLength, count
| table src queryLength count
| head 1000
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
eventtype="stream_dns" |
Search only Stream DNS events. |
message_type="Query" |
Search for queries. |
| mvexpand query |
Create a new event for each value found in the query field. |
| eval queryLength=len(query) |
Calculate the length of the string in the query field. |
| stats count BY queryLength, src |
Count the number of times each query length and source combination occurred. |
| sort -queryLength, count |
Sort results with the largest requests first. |
| table src queryLength count |
Display the results in a table with columns in the order shown. |
| head 1000 |
Show only the first 1,000 records. |
Result
Using the scatter chart visualization might help you see the outliers better. A high number of requests or large packets can indicate a security risk. For example, many common domains (www.google.com and www.bbc.co.uk) have a small query string length and will have a small query count. If, however, the malicious software opens a sensitive document that’s 5 Mb in size, chops it into 255-byte packets, and sends via DNS requests, then you're likely to see many 255-byte packets.
Comments
0 comments
Please sign in to leave a comment.