[Oisf-users] DNS Logs into ELK

Jason Ish ish at unx.ca
Thu Mar 22 13:07:57 UTC 2018


On 2018-03-22 03:38 AM, Blason R wrote:
> Hi there,
> 
> I have setup a DNS server and installed Suricata on it. Suricata is 
> blocking DNS requests based on rules and onion domains. My next 
> requirement is to divert those logs into ELK.
> 
> Can someone please tell me which logs should be picked up so that, 
> fast.log or dns.log or eve.json any other??
> 
>  1. Logs ingestion would be easy as I dont have to write parsers since I
>     guess Suricata is logging into JSON format

You'll want to use eve.json, it can log all event types so covers what 
goes into fast.log and dns.log, but in a JSON format.

>  2. Which logs should be considered from security perspective?

I think all of them. They provide context around an alert.

>  3. How can I start logging only DNS logs and stop any other?

But if you only want DNS, I'd make an eve-log section that logged only 
the dns type to its own file. You can have multiple eve-log 
configuration that log different types and to their own file. So its 
pretty easy to send dns to their own file.

You could probably have Logstash filter out non-dns events as well.

Please note that below you are showing alerts, not DNS logs. There is no 
way at this time for Suricata to divert alerts for DNS vs other 
protocols to separate files. You could probably do some parsing in 
Logstash though, and only accept events that are of event_type alert 
with a protocol of dns..

> 
> 
> Here are my DNS logs
> 
> 03/22/2018-14:49:37.517251  [wDrop] [**] [1:5700011:1] Phase1: Malicious 
> domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority: 
> 3] {UDP} 192.168.1.9:65410 <http://192.168.1.9:65410> -> 192.168.1.42:53 
> <http://192.168.1.42:53>
> 03/22/2018-14:49:37.517251  [**] [1:2014939:1] ET POLICY DNS Query for 
> TOR Hidden Domain .onion Accessible Via TOR [**] [Classification: 
> Potential Corporate Privacy Violation] [Priority: 1] {UDP} 
> 192.168.1.9:65410 <http://192.168.1.9:65410> -> 192.168.1.42:53 
> <http://192.168.1.42:53>
> 03/22/2018-14:49:37.518355  [wDrop] [**] [1:5700011:1] Phase1: Malicious 
> domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority: 
> 3] {UDP} 192.168.1.42:20859 <http://192.168.1.42:20859> -> 
> 192.228.79.201:53 <http://192.228.79.201:53>
> 03/22/2018-14:49:37.750217  [wDrop] [**] [1:5700011:1] Phase1: Malicious 
> domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority: 
> 3] {UDP} 192.168.1.9:65411 <http://192.168.1.9:65411> -> 192.168.1.42:53 
> <http://192.168.1.42:53>
> 03/22/2018-14:49:37.750217  [**] [1:2014939:1] ET POLICY DNS Query for 
> TOR Hidden Domain .onion Accessible Via TOR [**] [Classification: 
> Potential Corporate Privacy Violation] [Priority: 1] {UDP} 
> 192.168.1.9:65411 <http://192.168.1.9:65411> -> 192.168.1.42:53 
> <http://192.168.1.42:53>
> 
> ##################################
> ./eve.json:{"timestamp":"2018-03-22T14:49:40.014495+0530","flow_id":1201901318977695,"in_iface":"eno16777736","event_type":"alert","src_ip":"192.168.1.9","src_port":65416,"dest_ip":"192.168.1.42","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":5700011,"rev":1,"signature":"CleanDNS_Phase1: 
> Malicious domain 
> 57g7spgrzlojinas.onion","category":"","severity":3},"app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":82,"bytes_toclient":0,"start":"2018-03-22T14:49:40.014495+0530"}}
> 

Jason


More information about the Oisf-users mailing list