Definitely agree with security onion along with brown and sugill good stuff nice open source ids.
Ed On Jan 8, 2016 8:55 AM, "Kennedy, Jim" <[email protected]> wrote: > Another option. Port mirror your DNS server and spin up SecurityOnion. > That is what I am using….port mirroring all my to/from server traffic to > it. That will get you basic IDS, or you can use the Bro logs. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Richard Stovall > *Sent:* Thursday, January 7, 2016 4:27 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Source of DNS queries > > > > And, thanks to y'all for helping me talk it out, here's the general > direction for what I'm trying to do. > > > > > https://www.alienvault.com/forums/discussion/4564/how-to-get-my-dns-logs-into-usm > > > > Woot! > > > > On Thu, Jan 7, 2016 at 3:55 PM, Richard Stovall <[email protected]> wrote: > > The SIEM can do it, but I guess I'm missing how to get it in there using > the default tools in Windows Server. > > > > On Thu, Jan 7, 2016 at 3:48 PM, Michael B. Smith <[email protected]> > wrote: > > Well, if your SIEM can’t parse it, it’s pretty easy to do with > WMI/PowerShell. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Richard Stovall > *Sent:* Thursday, January 7, 2016 3:16 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Source of DNS queries > > > > Not averse to it, per se. They just get pretty big pretty quickly, and > are temporal because they wrap as well. > > > > Just thinking out loud about how it would be nice to have the relevant > info in a single, non-expiring repository. > > > > On Thu, Jan 7, 2016 at 2:41 PM, Michael B. Smith <[email protected]> > wrote: > > Why are you averse to scanning the logs? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Richard Stovall > *Sent:* Thursday, January 7, 2016 1:49 PM > *To:* [email protected] > *Subject:* [NTSysADM] Source of DNS queries > > > > I am in the early stages of deploying a SIEM solution and one of the > things that pop up occasionally are alarms for when a DNS query is > conducted and the response contains a known-malicious ip. What I'm trying > to do is figure out which machine queried the DNS server because the alert > just shows that a query response with the malicious ip went back to the DNS > server. > > > > Short of enabling DNS debug logging on my MS DNS servers and picking > through them to find the source of the query, is there another solution > that's more permanent? > > > > I'm thinking that if I had something like a "DNS proxy" that does the kind > of logging I'm looking for, that would be great. Essentially a DNS server > that forwards everything on to the 'regular' servers. > > > > client <--> proxy <--> internal DNS server <--> external DNS servers > > > > Just messing around with ideas. Anyone have a solution to this already in > place? (Preferably one that's affordable for the little guys. :-) > > > > Thanks, > RS > > > > > > >
