DNS request from HOME_NET to HOME_NET - how?

Hi all! Looking for a solution… I use Suricata as NIDS with AlienVault OSSIM. And faced some problem with processing DNS requests. Overall issue is - I see DNS requests from my Domain Controller (which is DNS-server for entire LAN) to external DNS-provider, but I don’t see any DNS-requests TO my Domain Controller…
Deep research led me to Suricata rules. I can see in eve.json all DNS requests that are crossing “perimeter” (e.g. from HOME_NET to EXTERNAL_NET and from EXTERNAL_NET to HOME_NET). But I am unable to see DNS-requests INSIDE my LAN, that endpoints make to local DNS-server, which is Domain Controller… As soon as I create some subnet in my LAN that is out of scope of HOME_NET addresses - I can see all the requests from it. But i need to keep HOME_NET to contain all IP-subnets that are real LAN subtens.

The reason - is to have information what exact endpoint made malisious DNS-request.

So I searched for Suricata rules, and found some clues - there are rules that make some conditional process. And there I can see limitations for requests from LAN-to-Internet or from Internet-to-LAN with some additional parameters. But what rule can I create to allow log for LAN-to-LAN DNS-requests without any condition?

Please, help! :slight_smile:

ADD: Yes, Suricate collects the data from eth-port that is capable to do so. All the data is there, only problem is to make Suricata make proper log for it.

This sounds like a sensor “placement” issue.

Can you describe a bit more about your deployment?

Are you able to confirm via a tcpdump on the interface that suricata is listening that you actually see the client → internal dns server?

If you review the IDS rules in question, can you confirm they are $HOME_NET -> any vs $HOME_NET -> $EXTERNAL_NET

Thank you for your reply. Yes, it was “placement” issue. In fact - there was misconfiguration of monitoring port in VMWare virtual machine. It was not properly configured to receive all data. After proper configuration now we have all DNS requests in place.

1 Like