-
Notifications
You must be signed in to change notification settings - Fork 5
Configuration
4Quarks edited this page Mar 6, 2024
·
3 revisions
graph LR
subgraph A[pDNSSOC Client]
B[DNS Server] -- DNS Logs --> C[go-dnscollector]
end
subgraph D[pDNSSOC Server]
E[go-dnscollector] --> F[pDNSSOC]
end
C -- dnstap --> E
F --> G[Alerts]
H[MISP] -- attributes ---> D
The DNS sensor of choice is go-dnscollector. Full configuration options can be found in the dedicated documentation page. For pDNSSOC, the following configuration requirements apply:
- Source (
collector
ingo-dnscollector
terminology) can be any of the supported ones. For optimal performance and data quality, we suggestdnstap
, orAF_PACKET
. - Destination (
logger
ingo-dnscollector
terminology) should bednstap
.
The configuration should be based on the client template
The ingestion collector is also based on go-dnscollector. The configuration should be based on the server template.
This element is used to correlate threat intelligence from MISP with DNS logs from clients. pdnssoc-cli
provides various configuration options both for querying multiple MISP instances as well as for defining specific time periods for event tags. More information can be found here.