[Oisf-users] Suricata on DNS Sinkhole in IPS mode

Charles Devoe Charles.Devoe at cisecurity.org
Mon Mar 12 16:15:33 UTC 2018


Look in the etc directory in the suricata install directory.  There is a sample suricata.service file

Logging is set up in the yaml file

http://suricata.readthedocs.io/en/latest/output/index.html



Charles DeVoe Jr.
Manager of Engineering
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061

charles.devoe at cisecurity.org<mailto:charles.devoe at cisecurity.org>
(518) 266-3494
7x24 Security Operations Center
SOC at cisecurity.org<mailto:SOC at cisecurity.org> - 1-866-787-4722


[/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_70285037]
       [/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_796977712] <https://www.facebook.com/CenterforIntSec>     [/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_659387394] <https://twitter.com/CISecurity>    [/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_56466421] <https://www.youtube.com/user/TheCISecurity>     [/Users/cdevoe/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_740292238] <https://www.linkedin.com/company/the-center-for-internet-security>
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Steve Castellarin <steve.castellarin at gmail.com>
Date: Monday, March 12, 2018 at 9:07 AM
To: Blason R <blason16 at gmail.com>
Cc: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Suricata on DNS Sinkhole in IPS mode



Hi Blason,

I have no experience with questions 1 and 2, but for question 3 I have this configuration to log all DNS activity:

outputs:
  - eve-log
     enabled: yes
     filetype: regular
     filename: eve-dns.json
     types:
       - dns:
         query: yes
         answer: yes

On Sun, Mar 11, 2018 at 12:00 AM, Blason R <blason16 at gmail.com<mailto:blason16 at gmail.com>> wrote:
Hi Team,

I am trying to install Suricata in IPS mode on CentOS 7. Below are the challenges I am facing and need help

I have installed suricata using default RPM
Downloaded the rules

Now I need to start Suricata using default .yaml file,


  1.  Since CentOS7 has a different interface naming scheme how do I start Suricata using systemctl?
  2.  How do I run Suricata in IPS mode to block malicious DNS queries?
  3.  How do I log DNS events in JSON so that those can be indexed in elasticsearch?
TIA

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<http://suricata-ids.org> | Support: http://suricata-ids.org/support/<http://suricata-ids.org/support/>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>

Conference: https://suricon.net<https://suricon.net>
Trainings: https://suricata-ids.org/training/<https://suricata-ids.org/training/>


.....

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180312/a5388d01/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14324 bytes
Desc: image001.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180312/a5388d01/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1893 bytes
Desc: image002.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180312/a5388d01/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2177 bytes
Desc: image003.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180312/a5388d01/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1890 bytes
Desc: image004.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180312/a5388d01/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2059 bytes
Desc: image005.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180312/a5388d01/attachment-0014.png>


More information about the Oisf-users mailing list