[Oisf-users] practical use of dns log

Cooper F. Nelson cnelson at ucsd.edu
Tue Nov 26 21:53:02 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You might want to look into the logstash and kibana projects.  Logstash
can be used with a program called 'grok' to insert arbitrary data into
an elasticsearch database.

You can also capture/index DNS traffic off of the wire via the 'moloch'
project.  See: https://github.com/aol/moloch

- -Coop

On 11/26/2013 12:49 AM, Christophe Vandeplas wrote:
> Hi list,
> 
> 
> In the past I've been using another tool to do DNS logging, and now
> I'd like to use Suricata for this. The format of the file is
> completely different, and also a part of the interpretation (Suricata
> is a LOT more verbose and complete)
> 
> DNS logging of Suricata is mulitiple lines per DNS request (and
> response). So searching for things require multiple greps and
> filtering out duplicate ids.
> 
> I'm wondering how others use this DNS logging.
> All stories (on or off-list) and practical use-cases are welcome.
> I'll do my best to document these on the wiki so that others can
> benefit from this info.
> 
> As far as I understand there seem to be plans to transform the logging
> into json, is there already an idea about when that's to be expected?
> 
> 
> Thanks
> Kind regards
> Christophe
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSlRg+AAoJEKIFRYQsa8FW6d4H/3R/QtDDdxGgIbaSDHXOongK
7oWlwXsIdtI3ECIy9bzO2H2RsKkmaz5PVqSr1HED5vCyXE4qQ6wJ+ZJB5gQJIokh
NK0WRSCep1pieDEuh09iXPC7SgY8VD9MTe4fTj6rdqaZ9Qy1Kp3r61CAJh1hH+x/
GfVuqEND0HYQDRbwyeLHR1FOi5Bh/bJmmyajPHoNRW0OzQMUc0HXkE8PXzWgl/WM
Vqj6GFKauOcqlKR1RIRvHrZNcyx1A14yJjF9PikRL9iIdjbP/g1zOAWd2jWTNuEN
WzcpkuZmBhoGhCwejXYy5apkR7eP176/f9r9yqUc826jd7BkuLrAtz7AB4Yc0SU=
=gOgP
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list