[Oisf-users] DNS Logs into ELK
Jason Ish
ish at unx.ca
Thu Mar 22 13:07:57 UTC 2018
On 2018-03-22 03:38 AM, Blason R wrote:
> Hi there,
>
> I have setup a DNS server and installed Suricata on it. Suricata is
> blocking DNS requests based on rules and onion domains. My next
> requirement is to divert those logs into ELK.
>
> Can someone please tell me which logs should be picked up so that,
> fast.log or dns.log or eve.json any other??
>
> 1. Logs ingestion would be easy as I dont have to write parsers since I
> guess Suricata is logging into JSON format
You'll want to use eve.json, it can log all event types so covers what
goes into fast.log and dns.log, but in a JSON format.
> 2. Which logs should be considered from security perspective?
I think all of them. They provide context around an alert.
> 3. How can I start logging only DNS logs and stop any other?
But if you only want DNS, I'd make an eve-log section that logged only
the dns type to its own file. You can have multiple eve-log
configuration that log different types and to their own file. So its
pretty easy to send dns to their own file.
You could probably have Logstash filter out non-dns events as well.
Please note that below you are showing alerts, not DNS logs. There is no
way at this time for Suricata to divert alerts for DNS vs other
protocols to separate files. You could probably do some parsing in
Logstash though, and only accept events that are of event_type alert
with a protocol of dns..
>
>
> Here are my DNS logs
>
> 03/22/2018-14:49:37.517251 [wDrop] [**] [1:5700011:1] Phase1: Malicious
> domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority:
> 3] {UDP} 192.168.1.9:65410 <http://192.168.1.9:65410> -> 192.168.1.42:53
> <http://192.168.1.42:53>
> 03/22/2018-14:49:37.517251 [**] [1:2014939:1] ET POLICY DNS Query for
> TOR Hidden Domain .onion Accessible Via TOR [**] [Classification:
> Potential Corporate Privacy Violation] [Priority: 1] {UDP}
> 192.168.1.9:65410 <http://192.168.1.9:65410> -> 192.168.1.42:53
> <http://192.168.1.42:53>
> 03/22/2018-14:49:37.518355 [wDrop] [**] [1:5700011:1] Phase1: Malicious
> domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority:
> 3] {UDP} 192.168.1.42:20859 <http://192.168.1.42:20859> ->
> 192.228.79.201:53 <http://192.228.79.201:53>
> 03/22/2018-14:49:37.750217 [wDrop] [**] [1:5700011:1] Phase1: Malicious
> domain 57g7spgrzlojinas.onion [**] [Classification: (null)] [Priority:
> 3] {UDP} 192.168.1.9:65411 <http://192.168.1.9:65411> -> 192.168.1.42:53
> <http://192.168.1.42:53>
> 03/22/2018-14:49:37.750217 [**] [1:2014939:1] ET POLICY DNS Query for
> TOR Hidden Domain .onion Accessible Via TOR [**] [Classification:
> Potential Corporate Privacy Violation] [Priority: 1] {UDP}
> 192.168.1.9:65411 <http://192.168.1.9:65411> -> 192.168.1.42:53
> <http://192.168.1.42:53>
>
> ##################################
> ./eve.json:{"timestamp":"2018-03-22T14:49:40.014495+0530","flow_id":1201901318977695,"in_iface":"eno16777736","event_type":"alert","src_ip":"192.168.1.9","src_port":65416,"dest_ip":"192.168.1.42","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":5700011,"rev":1,"signature":"CleanDNS_Phase1:
> Malicious domain
> 57g7spgrzlojinas.onion","category":"","severity":3},"app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":82,"bytes_toclient":0,"start":"2018-03-22T14:49:40.014495+0530"}}
>
Jason
More information about the Oisf-users
mailing list