[Rule Tuning] Abnormally Large DNS Response (11013227-0301-4a8c-b150-4db924484475) #5509
Description
Rule Tuning Analysis
Rule ID: 11013227-0301-4a8c-b150-4db924484475
Rule Name: Abnormally Large DNS Response
Rule Type: query
Classification
| Metric | Value |
|---|---|
| Category | NOISY_PERFORMANT |
| Priority | MEDIUM |
| Tuning Score | 47.12 |
| Version Status | ✅ Established (41 release cycles) |
Alert Telemetry
| Metric | Value |
|---|---|
| Total Alerts (3d) | 69,577 |
| Unique Clusters | 13 |
| Cluster Coverage | 0.5% |
| Daily Average | 23192 |
| Days Active | 3 |
| Coefficient of Variation | 0.36 (MODERATE) |
Analysis Flags
- 🔴 Noisy on Latest Version: ✅ Yes
- 🔴 Widespread False Positive: ❌ No
⚠️ Version Regression: ❌ No⚠️ Stale and Noisy: ❌ No⚠️ Low Version / High Volume: ❌ No- ℹ️ Low Activity: ❌ No
Recommendation
Action: Exclude flow-level events and focus on DNS transaction logs; use KQL to remove event.type:connection/event.action:network_flow and raise the threshold to >65000 bytes.
Rationale: The rule is overly broad: it matches flow-level network events (event.type:connection/event.action:network_flow) where network.bytes reflects entire UDP/TCP flows to port 53 rather than a single large DNS response. Sample alerts show long-duration, high-byte DNS flows from internal resolvers, not exploit-like single responses. Tightening the query to DNS transaction logs (type:dns/event.dataset:*.dns) and excluding flow events will substantially reduce noise while preserving detection for genuinely large DNS replies aligned to CVE-2020-1350.
Query Modifications
Flow telemetry (event.type:connection) is included via an OR clause, causing the rule to trigger on long-duration high-byte flows instead of single DNS responses. (Impact: both)
Current:
(event.dataset:zeek.dns or type:dns or event.type:connection)Modify →
(event.dataset:(zeek.dns or network_traffic.dns) or type:dns) and not event.type:"connection" and not event.action:"network_flow"Removing the connection branch and explicitly excluding flow actions focuses the rule on DNS transaction logs, matching the detection goal for abnormally large responses and significantly reducing benign resolver traffic.
Threshold is below a commonly referenced exploit-related response size (>65k), increasing sensitivity to benign traffic. (Impact: accuracy)
Current:
network.bytes > 60000Modify →
network.bytes > 65000Aligns with guidance that exploit-related responses were observed >65k; modestly reduces benign alerts while still detecting extremely large responses.
Overall query can be simplified to reduce OR complexity and improve execution efficiency while preserving intent. (Impact: both)
Current:
(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000Modify →
(event.dataset:(zeek.dns or network_traffic.dns) or type:dns) and destination.port: 53 and network.bytes > 65000 and not event.type:"connection" and not event.action:"network_flow"Reduces OR branches, prioritizes DNS protocol datasets, and removes flow noise; improves accuracy and query performance.
Exception Recommendations
Add exception: event.type is "connection" (Confidence: HIGH)
All provided samples (Events 1–5) include event.type: "connection" and represent long-lived flow telemetry, not discrete DNS responses. These flows inflate network.bytes and cause false positives. Excluding this value aligns the rule to DNS transactions (type:dns) and reduces noise without affecting exploit detection.
Modify →
and event.type is "connection"Add exception: event.action is "network_flow" (Confidence: HIGH)
Samples 1–5 show event.action: "network_flow" across multiple clusters, indicating flow aggregation rather than DNS message records. Filtering this action removes bulk flow noise from network_traffic modules and concentrates alerts on actual DNS events.
Modify →
and event.action is "network_flow"Field-Level Recommendations
| Field | Value | Alert % | Cluster % | Confidence | Type |
|---|---|---|---|---|---|
event.type |
connection |
0.0% | 75.0% | HIGH | EXCEPTION |
event.action |
network_flow |
0.0% | 70.0% | HIGH | EXCEPTION |
This issue was generated by the GenAI Tradecraft Rule Tuning Advisor.
Analysis timestamp: 2025-12-23T06:11:35.432208