How do I start RITA and zeek only to monitor DNS Traffic?
Blason opened this issue · 7 comments
HI Team,
I have DNS Firewall built on Ubuntu with BIND and RPZ; I wanted to leverage zeek and RITA installing on the same server. However since its only DNS Server. I wanted to enable only DNS protocol in zeek. Since I am not a pro in zeek wondering how do I do it?
Can someone please help to enable DNS and disable everything else so that my system resources will be saved.
TIA
Blason R
I suspect that zeek will only see dns traffic and what ever else happens to this dns server like ssh and such. I don’t think you will need to disable anything, it will just work like there is no other traffic. Try it out and see what you get with Rita I imagine you will see dns activity but no beacon activity nor other things that come from the connection data zeek analyzes.
Thank you,
Brian Kirk
Yea you will need to have a span to tap sent to a network interface that is in promiscuous mode and capture all the traffic. To this I also have never used zeek to capture traffic on a interface that was not in promiscuous mode, but I would expect it to work.
If it is only capturing dns I would imagine zeek wouldn’t add much over head and Rita should only add a little since it won’t have much if any beacon traffic to analyze.
You can also capture zeek for your dns on that server and scp it to another system for Rita to do analysis. They don’t need to run on the same system and i think mongo and Rita will be your biggest resource hogs, if they are using too much that is, but I don’t think they will.
Hello, in order to detect network beacons associated with an external IP, RITA needs to analyze the Zeek conn.log (https://docs.zeek.org/en/master/logs/conn.html). In addition, to detect network beacons associated with an FQDN, RITA needs to analyze the Zeek dns.log (https://docs.zeek.org/en/master/logs/dns.html). Command and control channels which only use DNS such as dnscat2 (https://github.com/iagox86/dnscat2) are able to detected using the dns.log alone.
If you want to limit Zeek to only inspecting DNS traffic, follow the guide at https://www.activecountermeasures.com/improving-packet-capture-performance-1-of-3/. zeekctl.cfg is usually found at /usr/local/zeek/etc/zeekctl.cfg or /opt/zeek/etc/zeekctl.cfg.
If you are capturing internal <-> external connections one Zeek system and capturing DNS on another, you would want to set up a cron job to to scp the logs over from one system to the other, merge the two folders, and then run RITA on resulting dataset.