[Oisf-users] practical use of dns log

Cooper F. Nelson cnelson at ucsd.edu
Wed Nov 27 19:11:03 UTC 2013

Hash: SHA1

Splunk isn't an option for many people for high-volume logs (like DNS)
as its pricing structure is too expensive.

To be honest, I don't use any of the logging features of suricata other
than the fast and unified2 alerts.

As mentioned, I think there are better stand-alone solutions on the
market (like bro and moloch) for doing application layer logging,
indexing and searching.  Provided you have a powerful enough box you can
run more than one tool on the same sensor.

*But*, once suricata can output everything in JSON format so it can be
integrated with logstash/elasticsearch I have a feeling it's going to be
the ideal all-in-one solution.

Anyway, if you have the time I'll highly suggest trying moloch.  It can
use bpf filters, so if you only want to record/index DNS traffic just
set the filter to 'port 53'.

- -Coop

On 11/27/2013 2:30 AM, Christophe Vandeplas wrote:
> Hi all,
> Thank you for the long replies.
> @Kevin: gamelinux passivedns is indeed great, I've been using it for a while.
> @Peter and Coop: Elasticsearch, logstash and elsa are comparable to
> splunk, a tool to index data and search for it.
> The thing I'm more specifically looking for are practical uses of the
> DNS logging format of Suricata.
> The reason is that it's a LOT different from the output I'm used of
> gamelinux passivedns (and of some other pdns webinterfaces I have
> access on) and I'm currently evaluating if i) it is worth to switch to
> the suricata pdns now, or should I wait for the json output and the
> more philosophical ii) is

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list