DNS Lookup of detected IPs

Help
1

Hello together,

our IDS is using Packetbeat to collect the network flows. But we want to switch to Suricata in detection and to collect the flows.
Suricata is great, but we recognized, that suricata automatically resolves the IP addresses (reverse lookup). This is great but as we checked with tcpdump Suricata does for every IP address or every flow a seperate DNS lookup to the DNS server.

Has Suricata the possibility to configure the DNS lookup functionalities? We did not find something on the web. One solution is to use a DNS cache but we first want to check if Suricata have natively some functions.

Thanks

2

Hi,

can you give us more details about your setup/configuration? Suricata itself does no DNS lookup AFAIK. Are you 100% sure it’s coming from Suricata and not another process?
Keep in mind if tcpdump is run without -nn option it does the resolve itself.

3

Hi there,

I think we made the same mistake :slight_smile:

Just copy the configuration of other people without knowing what they are doing…

mutate {
  add_field => { "src_ip_rdns" => "%{src_ip}" }
}
dns {
  reverse => [ "src_ip_rdns" ]
  nameserver => [ "127.0.0.1" ]
  action => "replace"
  hit_cache_size => 4096
  hit_cache_ttl => 1800
  failed_cache_size => 512
  failed_cache_ttl => 900
  max_retries => 1
  timeout => 0.5
}

Resolving is done by logstash.

Sorry for blaming suricata :paw_prints:

2 Likes
4

Thanks!!!
My colleague set up the logstash config. And I did not recognized at this moment, that the logtstash is executing the DNS queries.

Sorry for blaming suricata too :slight_smile:

1 Like