I was hoping that someone could help me out with a query. I am trying to correlate a DNS request to the firewall IP that was being forward. The firewall shows only the IP related to a rule that fired and I am trying to create a query that will capture the domain name query (DNS) that was associated with the rule(FIREWALL).
I have sourcetype=named query from IP: 72.9.231.10 Port:3391 Name: Paimia.com Destination: 141.101.116.157 sourectype=snort_alerts Blackhole_toolkit 141.101.116.157
I want to build a guery which will show all events from the souretype=snort Blackhole_tookit rule and destination IPs in common with destination IPs in the sourcetype=named.