0 Replies Latest reply on Mar 27, 2014 12:26 PM by rth67

    Custom APM rule for DNS

    rth67

      I have been struggling with creating an effective custom DNS rule for my APM.

      The canned rule that comes with the APM looks for all DNS traffic which is very noisy.

      There are several other canned rules that look for a particular hostname which work just fine.

      I am trying to write a rule that looks for the following (Using the logical AND function):

      Protocol = DNS

      DNS Type = A Record

      Source IP != DNS Servers (I only want to see the requests from the hosts to the DNS Servers to tune out some of the noise)

      !hostname RegExp = “/[a-zA-Z]\.mycompany\.com/” (to exclude all of the intranet traffic)

       

      I have tried using both Object Source IP and Flow Source IP.

      I have tried with and without the hostname rule.

      I have tried variations of the RegExp in the hostname rule.

      /\.?mycompany\.com/

      /mycompany/

       

      I also tried variations of RegExp for filtering out anything “mcafee.com” and “trustedsource.org” with no luck.

      I tried to invert part of the logic, removing the Source IP != DNS Servers, and making it Destination IP = DNS Servers, still no luck in reducing the noise.