Ignoring noisy events (dns, http)

Help
1

Hello everyone,

I am trying to reduce noise on my Splunk Enterprise Security, originating mainly from DNS (and http) events in Suricata.

Specifically, I have a huge number of DNS requests to sites like partnerweb.vmware.com, microsoft and mcafee which I would like to silent them.

I have tried both alert and pass rules along with bypass modifier:

alert dns any any -> any 53 (dns.query; content:".vmware.com"; bypass; sid:10000000;)
pass dns any any -> any 53 (dns.query; content:".vmware.com"; bypass; sid:10000000;)

Events keep generating though and I receive no errors while restarting suricata.

Any help would be appreciated.

Thank you in advance.

With kind regards,

Chris

2

You can use a conditional logging instead of a bypass rules:

config dns any any -> any any (msg:"Conditional logging - DNS wildcard dotprefix"; dns.query; dotprefix; content:".vmware.com"; nocase; endswith; config: logging disable, type tx, scope tx; sid:2;)

Bypass will not remove the query but will trigger detection not to be done on the flow.

1 Like
3

That was a hidden jem in the docs. Many thanks!

4

One more question:

Can I use a separate file (eg. conditional_formating.rules) to load the rules in Suricata-update?

I am running suricata-update (in log output I see <info> Loading local file conditional_formating.rules), but in the final suricata.rules file I cannot see my conditional formating rules. There is no sid number conflict and no error in suricata.log.

As a workaround, I manually appended the rules on the final suricata.rules and it works. But it would be more convenient to load them with suricata-update as part of the rule management process.

Thanks a lot for your time.

BR

Chris

5

I’m not a big suricata-update user. Maybe @sbhardwaj or @ish know about this.

6

Hello again @Regit,

even though I use the conditional logging as instructed by you, the dns events keep firing even though they are supposed to be suppressed.

  • Suricata -vvv shows that rules are loaded (I set on suricata.yaml to load a separate rule file “conditional_logging.rules”)
  • No errors on suricata.log

Can you recommend me a place to start my troubleshooting?

In eve.json I see that queries are output as “rrname”, there is no dns.query field. Is this the case?

Thank you in advance.

Christos

7

Are you talking about dns events instead of alert events?

8

Yes, I have a lot legitimate dns events that I would like to suppress as they flood my Splunk data. I could easily filter them out from Splunk but I would prefer to filter them at source.

9

You can disable the http & dns logs (in suricata.yaml) if you don’t need them

You could drop them in the logshipper as well if there is more specifics (eg: a specific host queries a specific domain in a noisy way)

You could as well ignore that traffic at either in your packet broker or Suricata capture filters.

10

Hi @bchris21

Did you come up with a solution to suppress some of DNS queries?
thanks,
Geoff