Hi all! Looking for a solution… I use Suricata as NIDS with AlienVault OSSIM. And faced some problem with processing DNS requests. Overall issue is - I see DNS requests from my Domain Controller (which is DNS-server for entire LAN) to external DNS-provider, but I don’t see any DNS-requests TO my Domain Controller…
Deep research led me to Suricata rules. I can see in eve.json all DNS requests that are crossing “perimeter” (e.g. from HOME_NET to EXTERNAL_NET and from EXTERNAL_NET to HOME_NET). But I am unable to see DNS-requests INSIDE my LAN, that endpoints make to local DNS-server, which is Domain Controller… As soon as I create some subnet in my LAN that is out of scope of HOME_NET addresses - I can see all the requests from it. But i need to keep HOME_NET to contain all IP-subnets that are real LAN subtens.
The reason - is to have information what exact endpoint made malisious DNS-request.
So I searched for Suricata rules, and found some clues - there are rules that make some conditional process. And there I can see limitations for requests from LAN-to-Internet or from Internet-to-LAN with some additional parameters. But what rule can I create to allow log for LAN-to-LAN DNS-requests without any condition?
Please, help! 
ADD: Yes, Suricate collects the data from eth-port that is capable to do so. All the data is there, only problem is to make Suricata make proper log for it.