Several customers have asked us how they can collect DNS logs. In our solution, we proposed a Packetbeat Agent that allows you to collect data and send them to our centralized NetEye SIEM directly, or via a NetEye satellite.
The Domain Name System (DNS) provides a hierarchy of names for computers and services on the Internet or other networks. Its most noteworthy function is the translation of domain names such as example.com into IP addresses. DNS is required for the Internet to function, operates on a global scale, and is massively distributed.
DNS servers normally accept messages on UDP port 53. The DNS protocol has two message types, queries and replies; both use the same format. These messages are used to transfer resource records (RRs), which contain a name, a time-to-live (TTL), a class (normally IN), a type, and a value. For example, an A-type resource record specifies the IPv4 address associated with a domain. The domain name space is divided into DNS zones, and a server is considered authoritative if it has authority over a particular zone.
It’s very important to have this data within our SIEM in order to correlate data on other sources and to analyze possible threats.
Packetbeat is a lightweight network packet analyzer that sends data from your hosts and containers to our NetEye SIEM. We suggest downloading this package and installing it on a probe. This software requires the libpcap library collector to be installed in order to send the information to our NetEye SIEM.
The macro-steps to activate data collection are:
Packetbeat is also a library, supporting many application layer protocols, from database to key-value stores to HTTP and low-level protocols. For the database for example we have:
In addition to all these beautiful dashboards we also have the data within our SIEM, so we can also see this data within APP Security in the Network section:
Now that we’ve gathered all this data related to the network traffic due to sniffing on our infrastructure, we can activate the detection rules on the network.
We have about 40 detection rules that can help us to detect threats:
For the DNS we have:
If you are interested in this topic, don’t hesitate to contact us. We can even show you this feature in our live NetEye SIEM demo.