[Rule Tuning] Abnormally Large DNS Response

[eric-forte-elastic]

Pull Request

Issue link(s):
Resolves #5509

Summary - What I changed

Small tuning to further filter detections based on an increased destination bytes size and connection duration. Flow-style network appliances such as PAN-OS may only report the DNS traffic upon completion/termination of the flow, as such they can be FP prone in the current logic.

TPs would generally not cause a flow duration of over 60 seconds unless specifically crafted to do so. The attack flow causes the DNS server to crash, which would cause the initial connection to terminate. The specific crafting to be able to bypass the rule is not so much a limitation of the rule logic, rather it is a limitation of flow-based detection mechanisms compared to transaction level sources.

How To Test

Verify in Telemetry.

And/or use RTAs in elastic/cortado#34

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Abnormally Large DNS Response (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Abnormally Large DNS Response (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[imays11]

No FP section?

[eric-forte-elastic]

To match what is done in other rules, removing this per #6201 (comment). as it is covered in the guide, and generally not expected to happen.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Abnormally Large DNS Response (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Abnormally Large DNS Response (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Abnormally Large DNS Response (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta