Threat doc classified as SFN-DNS has no domain name
punisherVX opened this issue · 2 comments
When logstash encounters a THREAT DNS event, it should put the domain name in the SFN.domain_name field in the ES threat* index. However, if the event DNS lookup is to a domain with underscores ( _ ) in it, it does not create that field and SFN code throws an error.
Example domain that broke it: _adsp._domainkey.ecopromconsalting.ru
This is fixable by using the DATA grok regex pattern rather than the HOSTNAME. See this for more explanation on the patterns used by grok.
This will only be done on the dns-cloud as we are already seeing underscores in domains in a few customers that are running the SFN4.0 alpha.
This will NOT be changed in content or EDL based parsers because we never see this as a problem. Probably because nobody is looking for it and it doesn't wind up in either the content or the EDLs.
This was fixed by changing the grok patterns in the logstash gtp.conf file. It is fixed in v3.5