Aku SilvennoinenI published a blog post about testing Security Onion's DNS C2 detection capabilities: https://akusilvennoinen.fi/posts/security-onion-dns-c2/
Sliver DNS C2 traffic is not detected by Security Onion 2.4.111 using the default detection rules.
None of the Security Onion detections (at least from the default sources) are statistical anomaly detections or some other behavioral detections, and detecting DNS C2 traffic requires a statistical or some other behavioral method to avoid an excessively high number of false positives.
Security Onion 2.4.111 contains Zeek (formerly known as Bro), a network traffic analysis framework. Zeek can be used for defining statistical detections with its event-driven scripting language.
Jeremy Baggs has developed Zeek scripts for detecting anomalous DNS traffic. The scripts are available at https://github.com/jbaggs/anomalous-dns.
The blog post describes a method for adding these scripts to Security Onion.
Testing Security Onion's DNS C2 Detection Capabilities
In this post, the DNS command-and-control (C2) detection capabilities of Security Onion are evaluated using Sliver. A standalone installation of Security Onion is assumed; however, the solutions presented should be applicable to other deployment models as well. The process begins with the setup of Sliver’s DNS C2 feature.\nSetting up Sliver DNS C2 Step-by-step instructions for setting up DNS C2 are provided in the Sliver documentation. Cloudflare DNS is used as the example in the documentation. When using Cloudflare DNS, the setup process is straightforward due to the detailed guidance.\n