• 2 replies
  • Latest Post - ‏2013-08-07T14:35:59Z by dwight s (IBM)
1 Post

Pinned topic Custom Flow Property for DNS Query

‏2013-07-05T19:15:34Z |


I was wondering if anyone in this forum has experience in writing custom properties to extract specific fields out of flows, specifically "domains" in a DNS Query (TypeA). 

Based on the DNS Message we have the following fields:

identification - 2bytes,

flags - 2 bytes,

number of questions - 2 bytes,

number of answers - 2bytes,

number of authority RR - 2 bytes,

number of additional RR - 2 bytes

payload - variable

query type - 2 bytes

query class - 2 bytes

The following shows an example for (which translates into 03www04nasa03com where each digit corresponds to the length of the string that it is preceeding). The following is the information displayed in the payload box:

19 e8 01 00 00 01 00 00 00 00 00 00 03 77 77 77   .............www 

 04 6e 61 73 61 03 63 6f 6d 00 00 01 00 01      

In the "Extract Property" box, the payload information is displayed as follows:  ............wwwnasacom....

I am using the following RegExp in the Custom properties to extract the domain:  .{12}(.*).{5} which seems to work fine and extracts the following: wwwnasacom

However, when I try to create a rule or BB for the custom property to match (as an example) wwwnasacom it doesn't work. 

Has anyone tested extracting information from DNS flows?  Is this the correct approach to extract this info? 


Any help is appreciated, Thanks










  • Aaron_Breen(IBM)
    7 Posts

    Re: Custom Flow Property for DNS Query


    I have never written am extention on flows, so I do not have much to offer, however I can tell you that the vast majority of customers get this information through proxy/dns records on the event side. 

  • dwight s (IBM)
    dwight s (IBM)
    7 Posts

    Re: Custom Flow Property for DNS Query


    Hi Carlos ...

    I've found too, that most dns traffic coming in from the flow side in QRadar is somewhat binary, and thus not easily parsed out into custom properties.  Even when it is, many of the characters are unprintable ones (the 03, 04, etc, hex chars), and thus can't really be used in rules because of that. 

    As Aaron suggests, getting dns lookups via an event stream is likely to be more effective.