Multiple sourcetypes correlation fields

b571194trbvmcom · ‎10-16-2014

Hey! i need a little help here, so i have two sourcetypes (bro_dns and sguild) and there is what i want to search

for all dns queries i want to see if happened a download of an .exe file from that IP

at this time i have this search

10.69.70.2 (internal dns)
195.23.129.126 (external dns)

(sourcetype=bro_dns AND src_ip=10.69.70.2 AND dest_ip=195.23.129.126 AND qtype_name=A) OR (sourcetype=sguild AND (name="EXE" OR name="INFO Packed")) | eval splitted=split(answers, ",")

but with this search... my result only have fields with IP 10.69.70.2... all my events from sguild sourcetype are gonne... (events from other IPs that had downloaded files...)

in SQL i would solve this with a select all exe events where src_ip in (select all dns from source = X and destination = Y)

any one could help me?

Many thanks

somesoni2 · ‎10-16-2014

How about this (assuming based on the SQL query your wrote, src_ip is a common field between two sourcetype)

sourcetype=sguild AND (name="EXE" OR name="INFO Packed") [search sourcetype=bro_dns AND src_ip=10.69.70.2 AND dest_ip=195.23.129.126 AND qtype_name=A | stats count by src_ip | table src_ip] | eval splitted=split(answers, ",")

Multiple sourcetypes correlation fields

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!