[Oisf-users] Suricata IPS with named - Please suggest use case

Blason R blason16 at gmail.com
Sat Dec 23 19:49:49 UTC 2017

Hi Guys,

Can someone please help me with this idea? I have DNS server set up on
CentOS 7.4 which is acting as a sinkhole server where I have installed ELK
stack as well.

Since this named/bind is acting as a sinkhole it is already blocking
malicious known domains collected from OSINT.

My idea here is; if it is possible to integrate/install suricata IPS on
same server and monitor on eth0? And since that is a DNS server can I block
the response IP addresses received which may be malicious.

for example

www.looks-genuine.com = Domain may not be listed in blacklist ==> But IP is malicious hence either block it or alert it

Plus detect the advance level of DNS attacks? like iodine, DNS beacon
channels queries?

Please suggest; can this be achieved?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171224/5f42f42c/attachment.html>

More information about the Oisf-users mailing list