We’re running Suricata 7.0.6 on Ubuntu, and we have been receiving alerts about DNS requests to domains that have suspicious TLDs (such as nat-pool.zeus.poltava.ua and vtomske.su), and we were wondering if that is due to the way the appliances that have Suricata installed are positioned in the network. These DNS requests are all going to a domain controller (which is the local DNS resolver), and have the source IPs of the machines running Suricata. We have investigated the machines themselves and found no evidence of any process making these requests, the machines themselves don’t really do anything outside of acting as an IDS with Suricata.
The question is, could these requests be coming from other hosts in the network with Suricata somehow mistaking the src_ip field? What could explain this weird behaviour?
Maybe you’ve done that already, but I would recommend checking all events related to the flow. I think that in some cases it is possible that Suricata interprets the dst_ip as the src_ip, and then investigating all events related to the same flow, and then maybe following events with both IPs from the flow could give you some leads.
I don’t know what kind of infrastructure you have for analyzing eve logs, but if you don’t have much, EveBox could help, I think.
Hope by now you have figured out what was going on…
Hello, I would look into why your systems running Suricata are making DNS resolutions. Do you have some option enabled to resolve domains for enriched logging purposes?
I don’t see a way Suricata would replace the IP address of another system with what I assume is the management IP of the Suricata box.
Thanks for the help. Yes it turned out that the DNS resolutions were being made for enrichment purposes. There is a lot more to it, but for the purpose of this topic it’s all good.