Ignoring noisy events (dns, http)

bchris21 · October 18, 2021, 10:07am

Hello everyone,

I am trying to reduce noise on my Splunk Enterprise Security, originating mainly from DNS (and http) events in Suricata.

Specifically, I have a huge number of DNS requests to sites like partnerweb.vmware.com, microsoft and mcafee which I would like to silent them.

I have tried both alert and pass rules along with bypass modifier:

alert dns any any -> any 53 (dns.query; content:".vmware.com"; bypass; sid:10000000;)
pass dns any any -> any 53 (dns.query; content:".vmware.com"; bypass; sid:10000000;)

Events keep generating though and I receive no errors while restarting suricata.

Any help would be appreciated.

Thank you in advance.

With kind regards,

Chris

Regit · October 18, 2021, 8:54pm

You can use a conditional logging instead of a bypass rules:

config dns any any -> any any (msg:"Conditional logging - DNS wildcard dotprefix"; dns.query; dotprefix; content:".vmware.com"; nocase; endswith; config: logging disable, type tx, scope tx; sid:2;)

Bypass will not remove the query but will trigger detection not to be done on the flow.

bchris21 · October 18, 2021, 9:52pm

That was a hidden jem in the docs. Many thanks!

bchris21 · October 19, 2021, 7:56am

One more question:

Can I use a separate file (eg. conditional_formating.rules) to load the rules in Suricata-update?

I am running suricata-update (in log output I see <info> Loading local file conditional_formating.rules), but in the final suricata.rules file I cannot see my conditional formating rules. There is no sid number conflict and no error in suricata.log.

As a workaround, I manually appended the rules on the final suricata.rules and it works. But it would be more convenient to load them with suricata-update as part of the rule management process.

Thanks a lot for your time.

BR

Chris

Regit · October 19, 2021, 8:15am

I’m not a big suricata-update user. Maybe @sbhardwaj or @ish know about this.

bchris21 · October 6, 2022, 10:39am

Hello again @Regit,

even though I use the conditional logging as instructed by you, the dns events keep firing even though they are supposed to be suppressed.

Suricata -vvv shows that rules are loaded (I set on suricata.yaml to load a separate rule file “conditional_logging.rules”)
No errors on suricata.log

Can you recommend me a place to start my troubleshooting?

In eve.json I see that queries are output as “rrname”, there is no dns.query field. Is this the case?

Thank you in advance.

Christos

Andreas_Herz · October 8, 2022, 9:02pm

Are you talking about dns events instead of alert events?

bchris21 · October 8, 2022, 11:20pm

Yes, I have a lot legitimate dns events that I would like to suppress as they flood my Splunk data. I could easily filter them out from Splunk but I would prefer to filter them at source.

IDSTower · October 9, 2022, 5:54am

You can disable the http & dns logs (in suricata.yaml) if you don’t need them

You could drop them in the logshipper as well if there is more specifics (eg: a specific host queries a specific domain in a noisy way)

You could as well ignore that traffic at either in your packet broker or Suricata capture filters.

gnordli · March 8, 2024, 12:03am

Hi @bchris21

Did you come up with a solution to suppress some of DNS queries?
thanks,
Geoff

Topic		Replies	Views
Filter dns query by wildcard rather then by ip address Help rules	5	906	May 8, 2023
Unable to supress SURICATA STREAM alerts Rules rules , suricata	3	637	October 25, 2023
DNS UDP bypass rule not working, advise please Help rules	5	43	November 5, 2024
Suppress alerts around known false positive! Rules	8	2726	August 16, 2023
Deleted rules still being added Help	2	815	February 26, 2021

Ignoring noisy events (dns, http)

Related topics