[Oisf-users] DNS Logs into ELK

Blason R blason16 at gmail.com
Thu Mar 22 09:38:02 UTC 2018 

Hi there,

I have setup a DNS server and installed Suricata on it. Suricata is
blocking DNS requests based on rules and onion domains. My next requirement
is to divert those logs into ELK.

Can someone please tell me which logs should be picked up so that, fast.log
or dns.log or eve.json any other??


   1. Logs ingestion would be easy as I dont have to write parsers since I
   guess Suricata is logging into JSON format
   2. Which logs should be considered from security perspective?
   3. How can I start logging only DNS logs and stop any other?


Here are my DNS logs

03/22/2018-14:49:37.517251  [wDrop] [**] [1:5700011:1] Phase1: Malicious
domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority: 3]
{UDP} 192.168.1.9:65410 -> 192.168.1.42:53
03/22/2018-14:49:37.517251  [**] [1:2014939:1] ET POLICY DNS Query for TOR
Hidden Domain .onion Accessible Via TOR [**] [Classification: Potential
Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.9:65410 ->
192.168.1.42:53
03/22/2018-14:49:37.518355  [wDrop] [**] [1:5700011:1] Phase1: Malicious
domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority: 3]
{UDP} 192.168.1.42:20859 -> 192.228.79.201:53
03/22/2018-14:49:37.750217  [wDrop] [**] [1:5700011:1] Phase1: Malicious
domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority: 3]
{UDP} 192.168.1.9:65411 -> 192.168.1.42:53
03/22/2018-14:49:37.750217  [**] [1:2014939:1] ET POLICY DNS Query for TOR
Hidden Domain .onion Accessible Via TOR [**] [Classification: Potential
Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.9:65411 ->
192.168.1.42:53

##################################
./eve.json:{"timestamp":"2018-03-22T14:49:40.014495+0530","flow_id":1201901318977695,"in_iface":"eno16777736","event_type":"alert","src_ip":"192.168.1.9","src_port":65416,"dest_ip":"192.168.1.42","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":5700011,"rev":1,"signature":"CleanDNS_Phase1:
Malicious domain
57g7spgrzlojinas.onion","category":"","severity":3},"app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":82,"bytes_toclient":0,"start":"2018-03-22T14:49:40.014495+0530"}}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180322/d0d3cdaf/attachment.html>

More information about the Oisf-users mailing list