New ask Hacker News story: Ask HN: SIEM-like product with DNS as its data API?
Ask HN: SIEM-like product with DNS as its data API?
2 by m3047 | 4 comments on Hacker News.
A SIEM seems to consist of a database / datasink for event data and an interface for reporting / alerting / alarming on that data. The DNS is a distributed database, which is another way of saying that it is a mechanism for querying distributed databases. Maybe another way I could put this is, is there a reporting / "pane of glass" tool which can be put in front of DNS-as-a-database? Maybe a TIP? Any birds of a feather, mailing lists...? My experience is most SIEM products report from what is ultimately a relatively centralized datasink: the data is collected centrally before it is needed for reporting. I've got an architecture which (mostly) utilizes the DNS to collect the data when it is needed. It is functional (and useful IMNSHO) right now with dns and netflow data: # hosts 10.1.0.0/24 10.1.0.11 10.1.0.12 10.1.0.10 # peers 10.1.0.10 www.cnn.com. infoblox.com. # peers 10.1.0.11 www.microsoft.com. www.cnn.com. # peers 10.1.0.12 www.microsoft.com. infoblox.com. # pcompare any same 10.1.0.10 10.1.0.0/24 infoblox.com. www.cnn.com. # pcompare all same 10.1.0.10 10.1.0.0/24 # pcompare any diff 10.1.0.10 10.1.0.0/24 # pcompare all diff 10.1.0.10 10.1.0.0/24 infoblox.com. www.cnn.com. Here is a short writeup: https://ift.tt/cq4AWIM
2 by m3047 | 4 comments on Hacker News.
A SIEM seems to consist of a database / datasink for event data and an interface for reporting / alerting / alarming on that data. The DNS is a distributed database, which is another way of saying that it is a mechanism for querying distributed databases. Maybe another way I could put this is, is there a reporting / "pane of glass" tool which can be put in front of DNS-as-a-database? Maybe a TIP? Any birds of a feather, mailing lists...? My experience is most SIEM products report from what is ultimately a relatively centralized datasink: the data is collected centrally before it is needed for reporting. I've got an architecture which (mostly) utilizes the DNS to collect the data when it is needed. It is functional (and useful IMNSHO) right now with dns and netflow data: # hosts 10.1.0.0/24 10.1.0.11 10.1.0.12 10.1.0.10 # peers 10.1.0.10 www.cnn.com. infoblox.com. # peers 10.1.0.11 www.microsoft.com. www.cnn.com. # peers 10.1.0.12 www.microsoft.com. infoblox.com. # pcompare any same 10.1.0.10 10.1.0.0/24 infoblox.com. www.cnn.com. # pcompare all same 10.1.0.10 10.1.0.0/24 # pcompare any diff 10.1.0.10 10.1.0.0/24 # pcompare all diff 10.1.0.10 10.1.0.0/24 infoblox.com. www.cnn.com. Here is a short writeup: https://ift.tt/cq4AWIM
Comments
Post a Comment