BloxOne Threat Defense
Page tree

Contents

Expand all   Collapse all

Data Connector supports the following types of filters when processing data: client_ip, DNS record, ON-PREM HOST, OPHID, and query FQDN. Data is filtered in the following order: client_ip > DNS record type > ON-PREM HOST > OPHID > query FQDN.

Types of Filters

Client_ip

  • The client_ip data filter is applied to DNS query/response events, IPmeta data, and RPZ events. If the event is a query, specify the query source’s IP address; if the event is a response, specify the destination’s IP address.
  • Client_ip can be specified  in the following formats:
    • As a single IPv4 or IPv6 address. 

Example: 10.10.1.0, 2620:10a:6000:661e::523

    • As a range of IPv4 addresses, each consisting of two single IPs and a dash between them. There are no spaces between the IP addresses and the dash.

Example: 10.10.1.0-10.10.2.35. 

This format is applicable to the IPv4 address format only. IPv6 uses the CIDR notation.

    • As a network/mask of single IPv4 addresses, followed by a slash and mask, with no spaces between the two IPv4 addresses and the slash.

Example: 10.10.1.0/255.255.255.0

This format is applicable to the IPv4 address format only.  

    • As a CIDR block of a single IPv4 or IPv6 address, followed by a slash and a number, with no spaces between the IP addresses and the slash.

Example: 10.10.0.1/15, 2001:cdba:9abc:5678::/64

DNS Record Type

  • The DNS Record Type filter can be applied on DNS query/response events and RPZ events. These records provide important details about domains and hostnames.

  • The following are the DNS Record Type filters:

    Filter TypeField ValueDefinition
    A1a host address
    AAAA28IP6 Address
    AFSDB18for AFS Data Base location
    AMTRELAY260Automatic Multicast Tunneling Relay
    APL42APL
    ATMA34ATM Address
    AVC258Application Visibility and Control
    AXFR252transfer of an entire zone
    CAA257Certification Authority Restriction
    CDS59Child DS
    CDNSKEY60DNSKEY(s) the Child wants reflected in DS
    CERT37CERT
    CNAME5the canonical name for an alias
    CSYNC62Child-To-Parent Synchronization
    DHCID49DHCID
    DNAME39DNAME
    DNSKEY48DNSKEY
    DOA259Digital Object Architecture
    DS43Delegation Signer
    EID31Endpoint Identifier
    EUI48108an EUI-48 address
    EUI64109an EUI-64 address
    GPOS27Geographical Position
    HINFO13host information
    HIP55Host Identity Protocol
    HTTPS65HTTPS Binding
    IPSECKEY45IPSECKEY
    ISDN20for ISDN address
    IXFR251incremental transfer
    KEY25for security key
    KX36Key Exchanger
    LOC29Location Information
    LP107
    L32105
    L64106
    MAILB253mailbox-related RRs (MB, MG or MR)
    MB7a mailbox domain name (EXPERIMENTAL)
    MG8a mail group member (EXPERIMENTAL)
    MINFO14mailbox or mail list information
    MR9a mail rename domain name (EXPERIMENTAL)
    MX15mail exchange
    NID104
    NS2an authoritative name server
    NULL10a null RR (EXPERIMENTAL)
    NSEC47NSEC
    NSEC350NSEC3
    NSEC3PARAM51NSEC3PARAM
    NSAP22for NSAP address, NSAP style A record
    NSAP-PTR23for domain name pointer, NSAP style
    NINFO56NINFO
    NIMLOC32Nimrod Locator
    NAPTR35Naming Authority Pointer
    OPT41OPT
    OPENPGPKEY61OpenPGP Key
    PTR12a domain name pointer
    PX26X.400 mail mapping information
    RP17for Responsible Person
    RT21for Route Through
    RRSIG46RRSIG
    RKEY57RKEY
    SIG24for security signature
    SINK40SINK
    SMIMEA53S/MIME cert association
    SOA6marks the start of a zone of authority
    SPF99Sender Policy Framework is used to indicate to mail exchanges which hosts are authorized to send mail for a domain
    SRV33Server Selection
    SSHFP44SSH Key Fingerprint
    SVCB64Service Binding
    TA32768DNSSEC Trust Authorities
    TALINK58Trust Anchor LINK
    TKEY249Transaction Key
    TLSA52TLSA
    TSIG250Transaction Signature
    TXT16text strings
    URI256URI
    WKS11a well known service description
    X2519for X.25 PSDN address
    ZONEMD63Message Digest Over Zone Data
    *255A request for some or all records the server has available

ON-PREM HOST

  • ON-PREM HOST is a display name of the on-prem host. Filtering by substring is allowed. 

  • ON-PREM HOST types of filters include the following: 

    • iccrvr01.indu.test-example.com
    • ZTP_atlasautomation_8722411532980096350
    • APIKEY1
    • Inblox Test OnPrem

OPHID

  • This is a unique identifier of the on-prem host. The user can use this value or provide a custom-defined OPHID.

  • OPHID types of filters include the following:

    • e7d97bd6548y8bbasd766e3f8f3789jrob6

    • 4c168ec9ca885fa5d9ccca0d8dfe793f

    • cdc-filter-test

query FQDN (wildcard)
Filters are evaluated in the order presented above: that is, IP -> dns_view -> member name -> query FQDN. Filters within one category are evaluated in the order in which they are defined.

Member

The member data filter is applied to DNS query/response events and RPZ events. Specify the name of the Grid member that processed the query. The member data filter is regex in functionality.

Example: ns2.site1.xyz.com, infoblox.localdomain.*

FQDN Query

The query FQDN data filter is applied to DNS query/response events and RPZ events. A query filter is a combination of valid FQDNs and wildcards. A query filter is also a combination of valid FQDN syntax and a token. The following are the EQDN Query rules:

  • Tokens can be on the left and right sides of an FQDN, not in the middle.
  • A rule can have zero, one, or two tokens.
  • If a rule has two tokens, they have to be on the opposite ends of the FQDN.
  • Tokens on the left side must be followed by a dot (except case in 6).
  • Tokens on the right side must be preceded by a dot (except case in 6).
  • Rule "?" is allowed. This rule signifies a single token with nothing else; use it to catch an FQDN composed of a single label.

Types of Tokens

TokenDescription
*Zero or more domain name labels; can be on the left side only
#One or more domain name labels; can be on the left side only
?Exactly one domain name label; can be on the right or left side

Examples of valid query filter rules

*.infoblox.com

amazon.?

*.google.?

#.org

*.cnn.?

#.github.?

facebook.com

?.facebook.com

?

?.

example.?.

?.google.?

Examples of invalid query filter rules

*infoblox.com===================== missing dot after star

amazon.??? ====================== "?" is not a regex "?"

.*.google.? ====================== dot before star

#.*.org ========================= two tokens on the left

cnn.* =========================== star on the right

*.github.# ======================= "#" on the right

* ========================== single "*" token is not allowed

*. ================= single "*" token is not allowed

# ================= single "#" token is not allowed

#. ================= single "#" token is not allowed

?infoblox.com================= dot is missed after "?"


Token to Regex Conversion

# -> ([^.]+\.?)+ One or more labels, where the label contains one or more any character except dot, that may be followed by a dot.

* -> ([^.]+\.?)* Zero or more labels, where the label contains one or more any character except dot, that may be followed by a dot.

? -> ([^.]+\.?)? One or more any character except dot, that may be followed by a dot.



  • No labels

This page has no comments.

© 2022 Infoblox. All rights reserved.        Feedback        Terms & Conditions        Legal        Privacy Policy