Disable dns.log

Zeek
1

My company runs Zeek on an Arm embedded device and we would like to minimize the CPU load from Zeek. Is there any way to disable the dns.log, we do not use it.

Thanks

Gary

Gary Huband
Sr. Software and Systems Engineer

Office: 434.284.8071 x720
Direct: 434.260.4995
Gary@MissionSecure.com

Follow Us!
LinkedIn | Blog | Website

: : : : : : : : : : : : : : : : : : : : : : : : : : :

MSi

This email and any files transmitted with it are confidential and proprietary and intended solely for the use of the individual or entity to whom they are addressed. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If you received this in error, please contact the sender and delete the material from any computer.

2

Hi Gary,

You have multiple options here. You can disable the DNS log, but that'd mean that internal DNS-related processing still happens. Therefore it's likely more effective to have Zeek ignore DNS traffic, unless you have other reasons to look at it. The following little script suppresses DNS via a BPF packet filter, and also suppresses the log.

3

This may work also

[Analyzer::disable_analyzer](https://github.com/zeek/zeek/blob/master/scripts/base/frameworks/analyzer/main.zeek#L160-L163)[](https://docs.zeek.org/en/master/scripts/base/frameworks/analyzer/main.zeek.html#id-Analyzer::disable_analyzer)

https://github.com/zeek/zeek/blob/master/scripts/base/frameworks/analyzer/main.zeek#L160-L163

4

Here’s another way you can do it. Put the following in no-dns.zeek:

@unload base/protocols/dns/main
@load base/init-default.zeek

and then run zeek -b no-dns.zeek …

— Vern

5

Thanks for the quick replies.

Both of these methods worked:

Method 1:

redef PacketFilter::restricted_filter = “not port 53”;

event zeek_init() {
Log::disable_stream(DNS::LOG);
}

Method 2:

event zeek_init() {
Analyzer::disable_analyzer(Analyzer::ANALYZER_DNS);
}

Are there any advantages for one over the other?

Thanks

Gary

Gary Huband
Sr. Software and Systems Engineer

Office: 434.284.8071 x720
Direct: 434.260.4995
Gary@MissionSecure.com

Follow Us!
LinkedIn | Blog | Website

: : : : : : : : : : : : : : : : : : : : : : : : : : :

MSi

This email and any files transmitted with it are confidential and proprietary and intended solely for the use of the individual or entity to whom they are addressed. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If you received this in error, please contact the sender and delete the material from any computer.

6

I found disabling analyzer will save processing. That said, intel framework will not alert on dns iocs

7

Just remember the above examples filter the port number not just DNS, so if somebody is using port 53 for CnC or a tunnel it will not be detected.